From owner-freebsd-ipfw Tue Nov 19 8:56:20 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75D4137B401 for ; Tue, 19 Nov 2002 08:56:18 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25D5C43E3B for ; Tue, 19 Nov 2002 08:56:18 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id gAJGuCAh067954; Tue, 19 Nov 2002 08:56:12 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.3/8.12.3/Submit) id gAJGuCi8067953; Tue, 19 Nov 2002 08:56:12 -0800 (PST) (envelope-from rizzo) Date: Tue, 19 Nov 2002 08:56:12 -0800 From: Luigi Rizzo To: Shawn Barnhart Cc: ipfw@FreeBSD.ORG Subject: Re: Stateful rules Message-ID: <20021119085612.A67523@xorpc.icir.org> References: <001a01c28fea$0200c7c0$62229fc0@ad.campbellmithun.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <001a01c28fea$0200c7c0$62229fc0@ad.campbellmithun.com>; from swb@grasslake.net on Tue, Nov 19, 2002 at 10:37:53AM -0600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG those rules do not make a lot of sense. perhaps you should post your entire ruleset if you want us to understand what is going on. cheers luigi On Tue, Nov 19, 2002 at 10:37:53AM -0600, Shawn Barnhart wrote: > I've recently switched over to using the stateful capabilitites of ipfw > (4.7-STABLE). > > I have rules like: > > check state > allow tcp from my_host to any keep-state > allow udp from my_host to any keep-state > .... > deny log ip from any to any > > In that order. > > What I've noticed is that during web browsing (and only web browsing), I see > a small number of packets hitting the deny rule at the end, as if the > dynamic rule had either expired or didn't apply. I didn't notice it > impacting the actual web browsing I was doing (ie, no misdrawn pages or > other glitches). > > I haven't seen any other types of packets blocked other than web traffic; > ssh, dns, even udp-intensive games seem OK. > > Any potential explanations? > > I thought there might be some low sysctl variables, but > net.inet.ip.fw.dyn_count appears to be well below net.inet.ip.fw.dyn_max. > > One other thing I'm curious about is net.inet.ip.fw.dyn_buckets -- what does > this have to do with net.inet.ip.fw.dyn_max or dynamic rule processing? I > can't quite gleam the relationship it has with net.inet.ip.fw.dyn_max, if > there is one, or when/how/if it should be adjusted. > > -Shawn > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message