From owner-freebsd-security Sun Jul 30 16: 0:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id E76F737B801 for ; Sun, 30 Jul 2000 16:00:19 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000730230019.GKCF21928.mail.rdc1.il.home.com@math.missouri.edu>; Sun, 30 Jul 2000 16:00:19 -0700 Message-ID: <3984B371.A5BF509E@math.missouri.edu> Date: Sun, 30 Jul 2000 18:00:01 -0500 From: stephen@math.missouri.edu X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: Bill Fumerola Cc: "Jonathan M. Bresler" , freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <20000730194202.447F937B6C1@hub.freebsd.org> <3984AB32.53B8D793@math.missouri.edu> <20000730185309.W5021@jade.chc-chimes.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bill Fumerola wrote: > > I fear the dynamic rule code, or I'd attempt to figure it all out > and come up with something better, but: > > > Now wait five minutes and the dynamic rule times out, and it stops > > working. Well, that is OK I suppose - you shouldn't have left it so long. > > [boa.internal-billf 18:52:25] > < /home/billf > sysctl -a |grep dyn > net.inet.ip.fw.dyn_buckets: 256 > net.inet.ip.fw.curr_dyn_buckets: 256 > net.inet.ip.fw.dyn_count: 0 > net.inet.ip.fw.dyn_max: 1000 > net.inet.ip.fw.dyn_ack_lifetime: 300 > net.inet.ip.fw.dyn_syn_lifetime: 20 > net.inet.ip.fw.dyn_fin_lifetime: 20 > net.inet.ip.fw.dyn_rst_lifetime: 5 > > ... it is a controllable behavior. Yes, I knew that. (I alluded to it at the end of my message.) Although it is not controllable unless you are root. There must have been some thought given to these default values, and why they are right. Make net.inet.ip.fw.dyn_ack_lifetime too big, and you begin to defeat its purpose. Make it too small, and you have the problem I describe. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message