From owner-freebsd-security Thu Oct 18 11: 9:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id B0B9337B403 for ; Thu, 18 Oct 2001 11:09:08 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA17241; Thu, 18 Oct 2001 11:08:33 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda17239; Thu Oct 18 11:08:21 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f9II8Gc10102; Thu, 18 Oct 2001 11:08:16 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdS10091; Thu Oct 18 11:07:51 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f9II7nu26564; Thu, 18 Oct 2001 11:07:49 -0700 (PDT) Message-Id: <200110181807.f9II7nu26564@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdp26559; Thu Oct 18 11:07:06 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "Drew Tomlinson" Cc: cjclark@alum.mit.edu, Mark.Andrews@isc.org, freebsd-security@FreeBSD.ORG Subject: Re: Dynamic IPFW Rules In-reply-to: Your message of "Thu, 18 Oct 2001 09:44:09 PDT." <008201c157f4$1c0c7620$cd2a6ba5@lc.ca.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 18 Oct 2001 11:07:06 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <008201c157f4$1c0c7620$cd2a6ba5@lc.ca.gov>, "Drew Tomlinson" writes: > ----- Original Message ----- > From: "Crist J. Clark" > To: "Drew Tomlinson" > Cc: ; > Sent: Thursday, October 18, 2001 1:38 AM > Subject: Re: Dynamic IPFW Rules > > > > On Wed, Oct 17, 2001 at 06:49:21PM -0700, Drew Tomlinson wrote: > > > ----- Original Message ----- > > > From: > > > To: "Drew Tomlinson" > > > Cc: > > > Sent: Wednesday, October 17, 2001 4:50 PM > > > Subject: Re: Dynamic IPFW Rules > > > > > > > > > > > > > > > I have created my first firewall and it seems to be handling > > > traffic > > > > > properly (yayyyy!). However, I have noticed that my dynamic > rules > > > don't > > > > > ever seem to expire. > > > > > > > > [snip] > > > > > > > > > 02100 1 60 (T 0, # 0) ty 0 tcp, 192.168.1.4 3139 <-> > 64.21.143.23 > > > 80 > > > > > > > > This is expired (T 0), just not removed. > > > > > > OK, thanks. Is there a way to remove those rules that have expired? > > > > You can remove the parent rule. IIRC, they get removed if they get > > hit. If you reach the limit, I believe it starts to overwrite expired > > rules. I would have to look at the code more closely to remember. > > > > Another option is to make a shell script or alias that drops expired > > rules, > > > > ipfw show | awk -F'[ ,]' '$5 != 0 { print }' > > > > Does it. I have a longer script that does this and also prints rules > > by interface, > > OK so if I understand correctly, the rules stay in ipfw show even when > expired until net.inet.ip.fw.dyn_max is reached. Then new rules > overwrite expired rules, correct? So then my firewall is working > correctly based on code for 4.4-RELEASE but there is new code > in -CURRENT that will be merged into the -STABLE branch sometime in the > future that will remove the expired rules from the output of ipfw show? > > And one more question: Where would I have found information on the > output of the dynamic rules? In other words, how would (should) I have > known that (T 0) was an expired rule? > > Thank you for the explaination. I really enjoy *understanding* why > things work the way they do instead of just accepting that they work. As expired dynamic rules are as if they were not there, why even list them in the first place? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message