From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 16 14:18:53 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29139106568F for ; Thu, 16 Oct 2008 14:18:53 +0000 (UTC) (envelope-from patrick.matters@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 836598FC18 for ; Thu, 16 Oct 2008 14:18:52 +0000 (UTC) (envelope-from patrick.matters@gmx.de) Received: (qmail invoked by alias); 16 Oct 2008 13:52:10 -0000 Received: from 91-65-191-146-dynip.superkabel.de (EHLO [192.168.1.199]) [91.65.191.146] by mail.gmx.net (mp052) with SMTP; 16 Oct 2008 15:52:10 +0200 X-Authenticated: #25596721 X-Provags-ID: V01U2FsdGVkX1/mYalK8bnmhVWMrd3b/OeB2cbZShgEr5RZH0EQj/ sYZcI5Xv4+qKwu From: Patrick Matters To: to.dev.null@gmx.de In-Reply-To: <20081015214327.230570@gmx.net> X-Priority: 3 References: <20081015214327.230570@gmx.net> Message-Id: <7809E47C-7C44-43E3-A588-0C99D642FC6B@gmx.de> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v929.2) Date: Thu, 16 Oct 2008 15:52:10 +0200 X-Mailer: Apple Mail (2.929.2) X-Y-GMX-Trusted: 0 X-FuHaFi: 0.53 Cc: freebsd-ipfw@freebsd.org Subject: Re: Expiration of dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 14:18:53 -0000 Hello, a real life example: ruleset host1 ... 00100 0 0 check-state 00101 0 0 allow tcp from me to any out setup keep-state ... sysctl net.inet.ip.fw.dyn_keepalive: 1 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_rst_lifetime: 3 net.inet.ip.fw.dyn_fin_lifetime: 3 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.static_count: 24 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.dyn_count: 237 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.verbose: 2 net.inet.ip.fw.debug: 0 net.inet.ip.fw.one_pass: 0 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.enable: 1 tcpdump 11:57:12.452517 IP host1.port1 > host2.80: S 4285172461:4285172461(0) win 65535 11:57:12.465820 IP host2.80 > host1.port1: S 4165668431:4165668431(0) ack 4285172462 win 5672 11:57:12.465951 IP host1.port1 > host2.80: . ack 1 win 65535 ... some tcp ack and tcp ack,psh 11:57:12.703599 IP host2.80 > host1.port1: P 6629:7198(569) ack 721 win 112 11:57:12.703678 IP host1.port1 > host2.80: . ack 7198 win 65156 11:57:22.700872 IP host2.80 > host1.port1: F 7198:7198(0) ack 721 win 112 11:57:22.700997 IP host1.port1 > host2.80: . ack 7199 win 65535 12:02:07.529664 IP host1.port1 > host2.80: . ack 7199 win 0 12:02:07.529786 IP host1.port1 > host2.80: . ack 7199 win 65535 12:02:07.543323 IP host2.80 > host1.port1: R 4165675630:4165675630(0) win 0 12:02:07.545776 IP host2.80 > host1.port1: R 4165675630:4165675630(0) win 0 netstat tcp4 0 0 host1.port1 host2.80 CLOSE_WAIT CLOSE_WAIT means an established connection on host 1 receives a tcp fin from host 2 and host 1 sends tcp ack to host2. Now host2 waits for a tcp fin from host1 After tcp rst netstat shows no tcp socket with port1 anymore 'nmap -PN -n -S host2 -p port1 -e eth0 --source-port 80 --scanflags ack host1' (it could be any tcp flag or combination of that) The dynmaic rule reopens with timeout 3s and disappears after the timeout. I guess only a tcp fin from host1 would stop the reappearing of the dynamic rule. jerry Am 15.10.2008 um 23:43 schrieb to.dev.null@gmx.de: > Hello together, > > i have a strange phenomenon with dynamic rules. I am using Mac OS X > 10..5.5 and have disabled keepalive-messages for dynamic rules: > > net.inet.ip.fw.dyn_keepalive: 0 > > ruleset host1 > ... > check-state > allow tcp from me to any out setup keep-state > ... > > 1.) host2: nc -k -l -p 1234 > 2.) host1: nc host2 1234 > 3.) dynamic rule with 300s gets created > 4.) dynamic rule expired after 300s (ipfw -d show: rule is gone (it > shows with flag -e)) > 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host > > After 5) that expired rule appeared again with 300s timeout and the > firewall is again opened. > > I would expect that an expired rule could not be reanimated. The > reactivation of expired rules seems to stop if after tcp fin from > both hosts are detected. Thus if the tcp disconnection was not > successfull there are some zombie rules which could be reanimated?!? > > (also with keepalive you could reproduce it: tcp rst -> then there > is no keepalive message and the dynamic rule expires but can be > reanimated with 5)) > > Jerry > > > -- > GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! > Jetzt dabei sein: http://www.shortview.de/wasistshortview.php?mc=sv_ext_mf@gmx >