From owner-freebsd-security Thu Nov 30 18:56:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id 7BB0A37B400 for ; Thu, 30 Nov 2000 18:56:24 -0800 (PST) Received: from jardan.infowest.com (jardan.infowest.com [216.190.28.251]) by ns1.infowest.com (Postfix) with SMTP id 1371021285 for ; Thu, 30 Nov 2000 19:56:10 -0700 (MST) From: Aaron D.Gifford Date: Thu, 30 Nov 2000 19:56:15 -0700 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" To: freebsd-security@freebsd.org Subject: Re: ipfw dynamic firewall opening Large amounts of dynamic rules normal? MIME-Version: 1.0 Message-Id: <00113019561500.07081@jardan.infowest.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11/30/2000 18:35:09, Peter Brezny wrote: >Hello Everyone, > >On a 4.2-stable box I've got ipfw and nat running with 2 dynamic rules (see >complete rule set below). > > $fwcmd add check-state > $fwcmd add allow ip from $oip to any keep-state out via $oif > $fwcmd add allow ip from $inwr to any keep-state via $iif > >This box is in the testing phase, and with me as the only user behind the >firewall with a couple browsers and a mail client running, > >sysctl net.inet.ip.fw > >shows ...dyn_count:178 (see below) > >When i What you are seeing is current ACTIVE dynamic rules AND inactive expired rules whose place in the table (I assume it's a hash table for quick lookups on IP packets) has not yet been reused. So an active system will gradually accumulate rules (expired rules mostly) until there are nearly as many as there are spots in the hash table. The number of active dynamic rules at any one time, however, is almost always much smaller. > >ipfw show > >it appears that for each outbound request for a website between six and 10 >rules are created, one for the private ip of the internal machine followed >by several for the (I'm assuming) translated internal request heading out to >the remote web server (see below). > >Is this behavior normal? And if so, how high is it recommended to set the From what I see in your message it looks very normal and your example shows very little traffic (but that may have been on purpose since you most likely did not wish to flood the list). > >sectl net.inet.ip.fw.dyn_max: > >variable (I'm using the default of 1000)? In nearly every case I've seen, it's been plenty. You may need to increse the number if the box is allocating dynamic rules for traffic from many hosts (if it's acting as a firewall) and/or traffic patterns at your location tend to be a lot of separate IP flows versus fewer TCP flows. It's not the sheer number of packets that governs the number of dynamic rules, but the number of individual matching flows (UDP and TCP). > >I've attached a copy of my firewall rules below as well. > >Any advice will be greatly appreciated. > >TIA > >Peter Brezny >SysAdmin Services Inc. > <> > >ipfw show output >01300 0 0 (T 0, # 34) ty 0 tcp, 10.10.1.70 1265 <-> 209.16.228.140 25 >01200 0 0 (T 0, # 36) ty 0 tcp, 209.16.228.146 1256 <-> 208.201.239.14 80 >01200 0 0 (T 0, # 37) ty 0 tcp, 209.16.228.146 1262 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 38) ty 0 tcp, 209.16.228.146 1261 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 40) ty 0 tcp, 209.16.228.146 1251 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 41) ty 0 tcp, 209.16.228.146 1253 <-> 208.201.239.14 80 >01200 0 0 (T 0, # 43) ty 0 tcp, 209.16.228.146 1255 <-> 208.201.239.14 80 >01200 0 0 (T 0, # 47) ty 0 tcp, 209.16.228.146 1252 <-> 204.148.40.9 80 >01300 0 0 (T 0, # 49) ty 0 tcp, 10.10.1.70 1216 <-> 64.41.203.231 80 >01200 1 477 (T 0, # 52) ty 0 udp, 209.16.228.146 1055 <-> 209.16.228.140 53 >01200 1 154 (T 0, # 53) ty 0 udp, 209.16.228.146 1054 <-> 209.16.228.140 53 >01200 1 149 (T 0, # 54) ty 0 udp, 209.16.228.146 1053 <-> 209.16.228.140 53 >01200 1 132 (T 0, # 55) ty 0 udp, 209.16.228.146 1052 <-> 209.16.228.140 53 >01200 0 0 (T 0, # 64) ty 0 tcp, 209.16.228.146 1163 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 65) ty 0 tcp, 209.16.228.146 1162 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 66) ty 0 tcp, 209.16.228.146 1161 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 67) ty 0 tcp, 209.16.228.146 1160 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 68) ty 0 tcp, 209.16.228.146 1167 <-> 204.148.40.9 80 >01200 0 0 (T 0, # 69) ty 0 tcp, 209.16.228.146 1166 <-> 204.148.40.9 80 <> A quick look at the above shows that ALL the listed dynamic rules have expired -- see the "T 0" part shows there are 0 seconds left before the rule expires. And in fact it looks like there were 4 DNS queries, 1 SMTP stream, 1 HTTP flow from 10.10.1.70 to 64.41.203.231, and most likely only 2 web pages requested by 209.16.228.146, each which very likely had several images or other page content files that resulted in additional streams being created. Very normal. You can write a cron job to keep an eye on your log files. I believe ipfw will write to the log if you hit the maximum number of dynamic rules. Off the top of my head I don't recall where it logs (/var/log/security or /var/log messages, I suspect) nor what the exact entry is. Then if you see such an entry, bump your maximum up. I tune several ipfw related things in /etc/sysctl.conf on some of the systems I work with to match the specific traffic patterns the hosts encounter. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message