Date: Wed, 29 Jan 2003 21:34:50 +0000 From: Trent Nelson <trent@limekiln.vcisp.net> To: freebsd-net@freebsd.org Subject: ipfw keep-state problem Message-ID: <20030129213450.GA6421@limekiln.vcisp.net>
index | next in thread | raw e-mail
Hi,
I'm using ipfw with dynamic rules, and I'm having problems. Consi-
der the following rules:
ipfw add check-state
ipfw add deny tcp from any to any established
ipfw add pass ip from me to any
ipfw add pass tcp from any to me ssh keep-state setup
ipfw add pass tcp from any to me telnet keep-state setup
Which is basically from the man page. The problem is that after
establishing a successful telnet/ssh session, I have about 90-120
seconds time to have some traffic pass over the session before it
dies. Now when I say die, the connection is not dropped initially,
it just appears that all traffic I sent is blocked.
If I had to take a wild guess, I'd say that the keep-state setup
rules added dynamically are expiring too quickly, and thus, subseq-
uent traffic is hitting the ``deny tcp from any to any established''
rule.
I'm using ipfw v1 and 4.7-STABLE as of a few days ago. Any
thoughts?
Regards,
Trent.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030129213450.GA6421>