Date: Mon, 21 Feb 2000 15:15:00 +0100 (CET) From: "Nicolai Petri (ML)" <nppmf@swamp.dk> To: Luigi Rizzo <luigi@info.iet.unipi.it> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: keep-state option in CURRENT. Message-ID: <Pine.BSF.4.21.0002211505030.31151-100000@distortion.dk> In-Reply-To: <200002211343.OAA93003@info.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 21 Feb 2000, Luigi Rizzo wrote:
> > dynamic rules are never deleted. Is this a bug or is it just not
> > implemented yet.
>
> They expire after some time (variable between 5 and 300s depending
> on the state), but expired rules are deleted in a lazy way, only
> when the code goes through them while scanning for matching rules
> or trying to find space.
What is the result of the following ruleset :
1000 allow ip from ${MYIPADDR} to any keep-state
1100 allow ip from any to ${MYIPADD} 23 keep-state
1200 deny all from any to any
In this setup when will the dynamic rules be deleted ?
Is it when a incoming packet is hitting a deny rule or when there is more
then X rules and a new dynamic rule is created ?
---
Nicolai Petri
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0002211505030.31151-100000>