From owner-freebsd-ipfw@FreeBSD.ORG  Wed Sep 22 02:25:22 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A5A8E16A4CE
	for <freebsd-ipfw@freebsd.org>; Wed, 22 Sep 2004 02:25:22 +0000 (GMT)
Received: from web11505.mail.yahoo.com (web11505.mail.yahoo.com
	[216.136.172.37])
	by mx1.FreeBSD.org (Postfix) with SMTP id 70A0843D48
	for <freebsd-ipfw@freebsd.org>; Wed, 22 Sep 2004 02:25:22 +0000 (GMT)
	(envelope-from mukden@yahoo.com)
Message-ID: <20040922022522.34335.qmail@web11505.mail.yahoo.com>
Received: from [17.202.43.89] by web11505.mail.yahoo.com via HTTP;
	Tue, 21 Sep 2004 19:25:22 PDT
Date: Tue, 21 Sep 2004 19:25:22 -0700 (PDT)
From: Muk Dunkin <mukden@yahoo.com>
To: freebsd-ipfw@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: dynamic TCP rule lifetime is too short
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2004 02:25:22 -0000

Hi all,

In ipfw2.c, if keep-alive option was turned off, once
a TCP (SYN,ACK) dynamic rule gets removed (UNLINK)
because it's lifetime has expired, subsequent TCP ACK
dynamic rule gets created with a very short timeout (1
sec).  net.inet.ip.fw.dyn_rst_lifetime (default of 1
second) was used instead of
net.inet.ip.fw.dyn_ack_lifetime for the newly created
TCP ACK dynamic rule, as a result, the rule gets added
and removed (time expired) over and over again.

Here's the scenario:

turn off keep-alive via sysctl 
allow tcp from any to any telnet keep-state
deny  all from any to any

host1 telnet to host2 
-- dynamic rule (300s) STATE tcp host1 <-> host2 was
created
wait after the 300s has lapsed, check dynamic rule
table
ipfw -dt list
dynamic rule tcp host1<->host2 is gone
type something from host1 telnet window
no new dynamic rule gets created, 'cuz it was added
and removed after 1 second.

Shouldn't net.inet.ip.fw.dyn_ack_lifetime be used
instead of 
net.inet.ip.fw.dyn_rst_lifetime in when we update
q->expire in lookup_dyn_rule()?


MC




		
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail