Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 11 Jan 2017 13:05:10 +0100
From:      Damien Fleuriot <ml@my.gd>
To:        Damien Fleuriot <ml@my.gd>,  "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: [IPFW] stateful session timeout
Message-ID:  <CAE63ME45HEZF-s7MkoMTmpR7o==8%2BEbycBcyfOj4c2dpjSzX%2BA@mail.gmail.com>
In-Reply-To: <20170111102445.GA53285@slackbox.erewhon.home>
References:  <CAE63ME66mOLS9JvX5ULvAY-F0TMi1Ru_Eip4=pVL8UmBaNxQkQ@mail.gmail.com> <20170111102445.GA53285@slackbox.erewhon.home>

next in thread | previous in thread | raw e-mail | index | archive | help
On 11 January 2017 at 11:24, Roland Smith <rsmith@xs4all.nl> wrote:
> On Tue, Jan 10, 2017 at 03:16:46PM +0100, Damien Fleuriot wrote:
>> Hello list,
>
>> We currently use PF on 8-STABLE and 10-STABLE boxes.
>>
>> I'm playing around a bit with ipfw and have not found a way to replicate
>> PF's *per-rule* custom session lifetimes.
>>
>> Anyone's got anything on the subject ? ;)
>
> Is this about dynamic rules? Because looking at ipfw(8) you can only set that
> globally via the net.inet.ip.fw.dyn_* sysctls. From the manual:
>
>      Dynamic rules expire after some time, which depends on the status of the
>      flow and the setting of some sysctl variables.  See Section SYSCTL
>      VARIABLES for more details.  For TCP sessions, dynamic rules can be
>      instructed to periodically send keepalive packets to refresh the state of
>      the rule when it is about to expire.
>

Aye, that is my actual problem, a global timer as opposed to PF's
per-rule capability.

I understand that is an edge case, however that is one that strongly
prevents the use of ipfw in PF's stead.


For example, we use very aggressive timers on PF to prevent resource
and state exhaustion attacks, however for some protocols we use
slightly more permissive timers.
Say our nginx client body timeout is 20s, I'll set us up a
tcp.established timer of 22-24s on the HTTP/HTTPS rules.

However, I'll stick to a regular 10s on our other rules.


I'm afraid I shan't be able to do that with ipfw, killing any plans of
moving to it.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAE63ME45HEZF-s7MkoMTmpR7o==8%2BEbycBcyfOj4c2dpjSzX%2BA>