Date: Tue, 21 Sep 2004 19:25:22 -0700 (PDT) From: Muk Dunkin <mukden@yahoo.com> To: freebsd-ipfw@freebsd.org Subject: dynamic TCP rule lifetime is too short Message-ID: <20040922022522.34335.qmail@web11505.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hi all, In ipfw2.c, if keep-alive option was turned off, once a TCP (SYN,ACK) dynamic rule gets removed (UNLINK) because it's lifetime has expired, subsequent TCP ACK dynamic rule gets created with a very short timeout (1 sec). net.inet.ip.fw.dyn_rst_lifetime (default of 1 second) was used instead of net.inet.ip.fw.dyn_ack_lifetime for the newly created TCP ACK dynamic rule, as a result, the rule gets added and removed (time expired) over and over again. Here's the scenario: turn off keep-alive via sysctl allow tcp from any to any telnet keep-state deny all from any to any host1 telnet to host2 -- dynamic rule (300s) STATE tcp host1 <-> host2 was created wait after the 300s has lapsed, check dynamic rule table ipfw -dt list dynamic rule tcp host1<->host2 is gone type something from host1 telnet window no new dynamic rule gets created, 'cuz it was added and removed after 1 second. Shouldn't net.inet.ip.fw.dyn_ack_lifetime be used instead of net.inet.ip.fw.dyn_rst_lifetime in when we update q->expire in lookup_dyn_rule()? MC __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040922022522.34335.qmail>