From owner-freebsd-security Thu Oct 18 9:44:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from blacklamb.mykitchentable.net (ekgr-dsl2-116.citlink.net [207.173.226.116]) by hub.freebsd.org (Postfix) with ESMTP id 96E2237B403 for ; Thu, 18 Oct 2001 09:44:15 -0700 (PDT) Received: from tagalong (unknown [165.107.42.205]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 7E5EBEE623; Thu, 18 Oct 2001 09:44:09 -0700 (PDT) Message-ID: <008201c157f4$1c0c7620$cd2a6ba5@lc.ca.gov> From: "Drew Tomlinson" To: Cc: , References: <200110172350.f9HNor915316@drugs.dv.isc.org> <000d01c15777$1b9a8240$0301a8c0@bigdaddy> <20011018013856.C373@blossom.cjclark.org> Subject: Re: Dynamic IPFW Rules Date: Thu, 18 Oct 2001 09:44:09 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Crist J. Clark" To: "Drew Tomlinson" Cc: ; Sent: Thursday, October 18, 2001 1:38 AM Subject: Re: Dynamic IPFW Rules > On Wed, Oct 17, 2001 at 06:49:21PM -0700, Drew Tomlinson wrote: > > ----- Original Message ----- > > From: > > To: "Drew Tomlinson" > > Cc: > > Sent: Wednesday, October 17, 2001 4:50 PM > > Subject: Re: Dynamic IPFW Rules > > > > > > > > > > > I have created my first firewall and it seems to be handling > > traffic > > > > properly (yayyyy!). However, I have noticed that my dynamic rules > > don't > > > > ever seem to expire. > > > > > > [snip] > > > > > > > 02100 1 60 (T 0, # 0) ty 0 tcp, 192.168.1.4 3139 <-> 64.21.143.23 > > 80 > > > > > > This is expired (T 0), just not removed. > > > > OK, thanks. Is there a way to remove those rules that have expired? > > You can remove the parent rule. IIRC, they get removed if they get > hit. If you reach the limit, I believe it starts to overwrite expired > rules. I would have to look at the code more closely to remember. > > Another option is to make a shell script or alias that drops expired > rules, > > ipfw show | awk -F'[ ,]' '$5 != 0 { print }' > > Does it. I have a longer script that does this and also prints rules > by interface, OK so if I understand correctly, the rules stay in ipfw show even when expired until net.inet.ip.fw.dyn_max is reached. Then new rules overwrite expired rules, correct? So then my firewall is working correctly based on code for 4.4-RELEASE but there is new code in -CURRENT that will be merged into the -STABLE branch sometime in the future that will remove the expired rules from the output of ipfw show? And one more question: Where would I have found information on the output of the dynamic rules? In other words, how would (should) I have known that (T 0) was an expired rule? Thank you for the explaination. I really enjoy *understanding* why things work the way they do instead of just accepting that they work. Drew [...] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message