Date: Tue, 10 Oct 2000 19:51:08 -0700 From: Dennis Glatting <dennis.glatting@software-munitions.com> To: current@FreeBSD.ORG Subject: Re: ipfw and state expiration Message-ID: <39E3D59C.33D0779C@software-munitions.com> References: <39E3D3DA.CCC0AFC4@software-munitions.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Just to follow up. It seems TCP states are expired but UDP states are
not.
Dennis Glatting wrote:
>
> I am using IPFW with the keep-state primitive on DNS and NTP queries
> (e.g., [1]). I've noticed, however, the number of dynamic rules only
> increase -- there appears to be no pruning of the dynamic rules.
> Looking through the code I only see a call to prune dynamic rules (via
> remove_dyn_rule()) when the number of rules exceed some maximum,
> rather at some time interval to insure dynamic rules are short lived.
>
> Is this indeed the case? Aren't dynamic rules suppose to be short
> lived? Did I not configure something improperly?
>
> [1] $fwcmd add allow udp from any to ${wip} 53 via ${wif} keep-state
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-current" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39E3D59C.33D0779C>