Date: Sat, 15 Feb 2003 11:19:16 -0500 From: Jason Morgan <jwm-freebsd@sentinelchicken.net> To: freebsd-questions@freebsd.org Subject: ipfw2 dynamic rules not dying Message-ID: <20030215161916.GA80761@sentinelchicken.net>
next in thread | raw e-mail | index | archive | help
I have a problem with my dynamic IPFW2 rules - they aren't dying. The system has been up now for 14 days, with it acting as firewall to two systems inside. One of the systems inside is also running IPFW2, but is in an open state. Here is the ruleset I am running, I have made no changes to the kernel variables regulating packet time-out - oh, and I'm running 4.7. # ipfw list 00010 allow ip from any to any via lo0 00020 deny log logamount 10 ip from any to 127.0.0.0/8 00030 deny log logamount 10 ip from 127.0.0.0/8 to any 00040 deny log logamount 10 ip from any to any frag 00050 deny log logamount 10 ip from 10.0.0.0/8 to any in via xl0 00060 deny log logamount 10 ip from 172.16.0.0/12 to any in via xl0 00100 divert 8668 ip from any to any via xl0 00101 count ip from 10.0.0.1 to any 00102 count ip from any to 10.0.0.1 00103 count ip from any to 192.168.1.101 00104 count ip from 192.168.1.101 to any 00105 count ip from 10.0.0.2 to any 00106 count ip from any to 10.0.0.2 00107 count ip from 10.0.0.3 to any 00108 count ip from any to 10.0.0.3 00200 deny log logamount 10 icmp from any to any in via xl0 icmptypes 8 00300 check-state 00400 allow icmp from any to any out via xl0 icmptypes 8 keep-state 00410 allow icmp from 10.0.0.0/8 to any keep-state 00420 deny log logamount 10 icmp from any to any 00500 deny log logamount 10 udp from any to any established 00510 allow udp from 10.0.0.0/8 to any setup keep-state 00520 allow udp from 192.168.1.101 to any keep-state 00530 allow udp from any to any dst-port 53 in keep-state 00600 deny log logamount 10 tcp from any to any established 00610 allow tcp from any to any dst-port 22,25,80 in setup keep-state 00620 allow tcp from 10.0.0.0/8 to any setup keep-state 00630 allow tcp from 192.168.1.101 to any setup keep-state 65000 deny log ip from any to any 65535 deny ip from any to any One last thing, my server is behind a ZyXel ADSL router, which is addressed as 192.168.1.1 on the inside. xl0 is my outside NIC. Currently, I have more than 180 dynamic rules active, most are attached to rule 00610. 180 rules seems to be excessive, and they don't seem to be timing out. Is my ruleset screwed up? Thanks Jason To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030215161916.GA80761>