From owner-freebsd-net@FreeBSD.ORG  Thu Aug  3 15:42:41 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ADCE616A4DA
	for <freebsd-net@freebsd.org>; Thu,  3 Aug 2006 15:42:41 +0000 (UTC)
	(envelope-from admin@intron.ac)
Received: from intron.ac (unknown [210.51.165.237])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F2FB043D49
	for <freebsd-net@freebsd.org>; Thu,  3 Aug 2006 15:42:40 +0000 (GMT)
	(envelope-from admin@intron.ac)
Received: from localhost (localhost [127.0.0.1]) (uid 1003)
	by intron.ac with local; Thu, 03 Aug 2006 23:42:39 +0800
	id 00102C04.44D2196F.00002805
From: "Intron" <mag@intron.ac>
To: freebsd-net@freebsd.org
Date: Thu, 03 Aug 2006 23:42:39 +0800
Mime-Version: 1.0
Content-Type: text/plain; charset="gb2312"; format=flowed
Content-Transfer-Encoding: 7bit
Message-ID: <courier.44D2196F.00002805@intron.ac>
Subject: Dynamic Rule Corpses of IPFW 2
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2006 15:42:41 -0000

I've set up a stateful IPFW rule to resist DoS attach. The rule is

     allow tcp from any to me tcpflags syn limit src-addr 10

But I found that there're many corpses in dynamic rules, which may
resist normal accesses. There isn't correspondence between those
corpses and existing TCP connections.

How to deal with those impedient corpses?

#ipfw -d show | grep myclient ; netstat -an | grep myclient
10010      4       192 (111s) LIMIT tcp myclient 50719 <-> myserver 443
10010      4       192 (80s) LIMIT tcp myclient 50700 <-> myserver 443
10010      4       192 (124s) LIMIT tcp myclient 50743 <-> myserver 443
10010      4       192 (119s) LIMIT tcp myclient 50735 <-> myserver 443
10010   3570    544131 (300s) LIMIT tcp myclient 50828 <-> myserver 22
10010      0         0 (3s) PARENT 10 tcp myclient 0 <-> 0.0.0.0 0
10010      4       192 (44s) LIMIT tcp myclient 50617 <-> myserver 443
10010      4       192 (59s) LIMIT tcp myclient 50652 <-> myserver 443
10010      4       192 (59s) LIMIT tcp myclient 50650 <-> myserver 443
10010      4       192 (57s) LIMIT tcp myclient 50645 <-> myserver 443
10010      2        96 (300s) LIMIT tcp myclient 50890 <-> myserver 443
tcp4       0      0  myserver.443     myclient.50817    TIME_WAIT
tcp4       0      0  myserver.443     myclient.50815    TIME_WAIT
tcp4       0      0  myserver.443     myclient.50813    TIME_WAIT
tcp4       0      0  myserver.443     myclient.50809    TIME_WAIT
tcp4       0    146  myserver.443     myclient.50706    ESTABLISHED
tcp4       0    146  myserver.443     myclient.50688    ESTABLISHED
tcp4       0    146  myserver.443     myclient.50679    ESTABLISHED
tcp4       0      0  myserver.443     myclient.50668    ESTABLISHED
tcp4       0      0  myserver.443     myclient.50618    ESTABLISHED
tcp4       0      0  myserver.443     myclient.50611    ESTABLISHED
tcp4       0    146  myserver.443     myclient.50493    FIN_WAIT_1
tcp4       0    146  myserver.443     myclient.50026    FIN_WAIT_1
tcp4       0      0  myserver.22      myclient.50828    ESTABLISHED

------------------------------------------------------------------------
                                                 From Beijing, China