Date: Sun, 30 Jul 2000 18:00:01 -0500 From: stephen@math.missouri.edu To: Bill Fumerola <billf@chimesnet.com> Cc: "Jonathan M. Bresler" <jmb@hub.freebsd.org>, freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules Message-ID: <3984B371.A5BF509E@math.missouri.edu> References: <20000730194202.447F937B6C1@hub.freebsd.org> <3984AB32.53B8D793@math.missouri.edu> <20000730185309.W5021@jade.chc-chimes.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Bill Fumerola wrote: > > I fear the dynamic rule code, or I'd attempt to figure it all out > and come up with something better, but: > > > Now wait five minutes and the dynamic rule times out, and it stops > > working. Well, that is OK I suppose - you shouldn't have left it so long. > > [boa.internal-billf 18:52:25] > < /home/billf > sysctl -a |grep dyn > net.inet.ip.fw.dyn_buckets: 256 > net.inet.ip.fw.curr_dyn_buckets: 256 > net.inet.ip.fw.dyn_count: 0 > net.inet.ip.fw.dyn_max: 1000 > net.inet.ip.fw.dyn_ack_lifetime: 300 > net.inet.ip.fw.dyn_syn_lifetime: 20 > net.inet.ip.fw.dyn_fin_lifetime: 20 > net.inet.ip.fw.dyn_rst_lifetime: 5 > > ... it is a controllable behavior. Yes, I knew that. (I alluded to it at the end of my message.) Although it is not controllable unless you are root. There must have been some thought given to these default values, and why they are right. Make net.inet.ip.fw.dyn_ack_lifetime too big, and you begin to defeat its purpose. Make it too small, and you have the problem I describe. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3984B371.A5BF509E>