Date: Thu, 16 Oct 2008 10:08:05 +0200 From: Jerry <to.dev.null@gmx.de> To: Roman Kurakin <rik@inse.ru> Cc: freebsd-ipfw@freebsd.org Subject: Re: Expiration of dynamic rules Message-ID: <344A1282-4B6D-4600-B30B-3A01EFBAAC33@gmx.de> In-Reply-To: <48F6A160.901@localhost.inse.ru> References: <20081015214327.230570@gmx.net> <48F6A160.901@localhost.inse.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
my rules only allow tcp out (host1 -> host2) connections: >> allow tcp from me to any out setup keep-state (me should denote host1) But the nmap goes from host2 -> host1 which should be blocked by the firewall >> 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host (i've made a mistake it should mean host1 instead of only host) Thus it seems to be the old dynamic rule. jerry Am 16.10.2008 um 04:05 schrieb Roman Kurakin: > to.dev.null@gmx.de wrote: >> Hello together, >> >> i have a strange phenomenon with dynamic rules. I am using Mac OS X >> 10..5.5 and have disabled keepalive-messages for dynamic rules: >> >> net.inet.ip.fw.dyn_keepalive: 0 >> >> ruleset host1 >> ... >> check-state >> allow tcp from me to any out setup keep-state >> ... >> >> 1.) host2: nc -k -l -p 1234 >> 2.) host1: nc host2 1234 >> 3.) dynamic rule with 300s gets created >> 4.) dynamic rule expired after 300s (ipfw -d show: rule is gone (it >> shows with flag -e)) >> 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host >> >> After 5) that expired rule appeared again with 300s timeout and the >> firewall is again opened. >> >> I would expect that an expired rule could not be reanimated. The >> reactivation of expired rules seems to stop if after tcp fin from >> both hosts are detected. Thus if the tcp disconnection was not >> successfull there are some zombie rules which could be reanimated?!? >> > IMHO if the connection starts from over again it is a new > connection. It is not the old one > reanimated. > > rik >> (also with keepalive you could reproduce it: tcp rst -> then there >> is no keepalive message and the dynamic rule expires but can be >> reanimated with 5)) >> >> Jerry >> >> >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?344A1282-4B6D-4600-B30B-3A01EFBAAC33>