From owner-freebsd-current Tue Oct 10 19:43:52 2000 Delivered-To: freebsd-current@freebsd.org Received: from btw.plaintalk.bellevue.wa.us (btw-xl1.plaintalk.bellevue.wa.us [206.129.5.130]) by hub.freebsd.org (Postfix) with ESMTP id 3A2C337B66C for ; Tue, 10 Oct 2000 19:43:50 -0700 (PDT) Received: from software-munitions.com (fwiw.plaintalk.bellevue.wa.us [206.129.5.157]) by btw.plaintalk.bellevue.wa.us (8.11.1/8.11.1) with ESMTP id e9B2hcs45826 for ; Tue, 10 Oct 2000 19:43:39 -0700 (PDT) Message-ID: <39E3D3DA.CCC0AFC4@software-munitions.com> Date: Tue, 10 Oct 2000 19:43:38 -0700 From: Dennis Glatting X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: current@freebsd.org Subject: ipfw and state expiration Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am using IPFW with the keep-state primitive on DNS and NTP queries (e.g., [1]). I've noticed, however, the number of dynamic rules only increase -- there appears to be no pruning of the dynamic rules. Looking through the code I only see a call to prune dynamic rules (via remove_dyn_rule()) when the number of rules exceed some maximum, rather at some time interval to insure dynamic rules are short lived. Is this indeed the case? Aren't dynamic rules suppose to be short lived? Did I not configure something improperly? [1] $fwcmd add allow udp from any to ${wip} 53 via ${wif} keep-state To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message