From owner-freebsd-ipfw Tue Nov 19 8:37:12 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F25B637B401 for ; Tue, 19 Nov 2002 08:37:10 -0800 (PST) Received: from accord.grasslake.net (accord.grasslake.net [209.98.56.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2145543E42 for ; Tue, 19 Nov 2002 08:37:10 -0800 (PST) (envelope-from swb@grasslake.net) Received: from swbgx150 (honda.grasslake.net [192.168.1.1]) by accord.grasslake.net (8.12.6/8.12.6) with SMTP id gAJGQn2U004189 for ; Tue, 19 Nov 2002 10:26:50 -0600 (CST) (envelope-from swb@grasslake.net) Message-ID: <001a01c28fea$0200c7c0$62229fc0@ad.campbellmithun.com> From: "Shawn Barnhart" To: Subject: Stateful rules Date: Tue, 19 Nov 2002 10:37:53 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've recently switched over to using the stateful capabilitites of ipfw (4.7-STABLE). I have rules like: check state allow tcp from my_host to any keep-state allow udp from my_host to any keep-state .... deny log ip from any to any In that order. What I've noticed is that during web browsing (and only web browsing), I see a small number of packets hitting the deny rule at the end, as if the dynamic rule had either expired or didn't apply. I didn't notice it impacting the actual web browsing I was doing (ie, no misdrawn pages or other glitches). I haven't seen any other types of packets blocked other than web traffic; ssh, dns, even udp-intensive games seem OK. Any potential explanations? I thought there might be some low sysctl variables, but net.inet.ip.fw.dyn_count appears to be well below net.inet.ip.fw.dyn_max. One other thing I'm curious about is net.inet.ip.fw.dyn_buckets -- what does this have to do with net.inet.ip.fw.dyn_max or dynamic rule processing? I can't quite gleam the relationship it has with net.inet.ip.fw.dyn_max, if there is one, or when/how/if it should be adjusted. -Shawn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message