From owner-freebsd-current Tue Oct 10 19:51:12 2000 Delivered-To: freebsd-current@freebsd.org Received: from btw.plaintalk.bellevue.wa.us (btw-xl1.plaintalk.bellevue.wa.us [206.129.5.130]) by hub.freebsd.org (Postfix) with ESMTP id 469A137B66E for ; Tue, 10 Oct 2000 19:51:09 -0700 (PDT) Received: from software-munitions.com (fwiw.plaintalk.bellevue.wa.us [206.129.5.157]) by btw.plaintalk.bellevue.wa.us (8.11.1/8.11.1) with ESMTP id e9B2p8s45930 for ; Tue, 10 Oct 2000 19:51:08 -0700 (PDT) Message-ID: <39E3D59C.33D0779C@software-munitions.com> Date: Tue, 10 Oct 2000 19:51:08 -0700 From: Dennis Glatting X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: current@FreeBSD.ORG Subject: Re: ipfw and state expiration References: <39E3D3DA.CCC0AFC4@software-munitions.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Just to follow up. It seems TCP states are expired but UDP states are not. Dennis Glatting wrote: > > I am using IPFW with the keep-state primitive on DNS and NTP queries > (e.g., [1]). I've noticed, however, the number of dynamic rules only > increase -- there appears to be no pruning of the dynamic rules. > Looking through the code I only see a call to prune dynamic rules (via > remove_dyn_rule()) when the number of rules exceed some maximum, > rather at some time interval to insure dynamic rules are short lived. > > Is this indeed the case? Aren't dynamic rules suppose to be short > lived? Did I not configure something improperly? > > [1] $fwcmd add allow udp from any to ${wip} 53 via ${wif} keep-state > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-current" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message