From owner-freebsd-security Tue Sep 17 14: 0:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41FBD37B444 for ; Tue, 17 Sep 2002 14:00:18 -0700 (PDT) Received: from alcanet.com.au (mail3.alcanet.com.au [208.178.117.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE7FB43E86 for ; Tue, 17 Sep 2002 14:00:16 -0700 (PDT) (envelope-from peter.jeremy@alcatel.com.au) Received: from sydsmtp01.alcatel.com.au (IDENT:root@localhost.localdomain [127.0.0.1]) by alcanet.com.au (8.12.4/8.12.4/Alcanet1.3) with ESMTP id g8HL07RS022484; Wed, 18 Sep 2002 07:00:08 +1000 Received: from gsmx07.alcatel.com.au ([139.188.20.247]) by sydsmtp01.alcatel.com.au (Lotus Domino Release 5.0.10) with ESMTP id 2002091807000689:62777 ; Wed, 18 Sep 2002 07:00:06 +1000 Received: from gsmx07.alcatel.com.au (localhost [127.0.0.1]) by gsmx07.alcatel.com.au (8.12.5/8.12.5) with ESMTP id g8HL062t020528; Wed, 18 Sep 2002 07:00:06 +1000 (EST) (envelope-from peter.jeremy@alcatel.com.au) Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.12.5/8.12.5/Submit) id g8HL05rT020527; Wed, 18 Sep 2002 07:00:05 +1000 (EST) (envelope-from peter.jeremy@alcatel.com.au) Date: Wed, 18 Sep 2002 07:00:04 +1000 From: Peter Jeremy To: dfolkins Cc: freebsd-security@FreeBSD.ORG Subject: Re: Unexpected keep state behaviour in ipfw Message-ID: <20020917210004.GW495@gsmx07.alcatel.com.au> Mail-Followup-To: dfolkins , freebsd-security@FreeBSD.ORG References: <20020915224154.GD495@gsmx07.alcatel.com.au> <001a01c25e17$39edcde0$0a00a8c0@groovy3xp> Mime-Version: 1.0 In-Reply-To: <001a01c25e17$39edcde0$0a00a8c0@groovy3xp> User-Agent: Mutt/1.4i X-MIMETrack: Itemize by SMTP Server on SYDSMTP01/AlcatelAustralia(Release 5.0.10 |March 22, 2002) at 18/09/2002 07:00:06 AM, Serialize by Router on SYDSMTP01/AlcatelAustralia(Release 5.0.10 |March 22, 2002) at 18/09/2002 07:00:08 AM, Serialize complete at 18/09/2002 07:00:08 AM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-Sep-17 02:55:36 -0400, dfolkins wrote: >first, your "idle time" for standard tcp connections is controlled by a >sysctl variable named net.inet.ip.fw.dyn_ack_lifetime. if it is set too >short (default is 300 seconds, i think) you can always just reset it to a >longer value, either from command prompt or from sysctl.conf. just set it >to a number you think appropriate for idle established connections to >remain >active. e.g. if you want your idle ftp connections to stay alive for 10 >minutes, set that variable to 600. there are a bunch of related variables. >to see them all just do a "sysctl -a |grep dyn". net.inet.ip.fw.dyn_ack_lifetime is a tradeoff between keeping active connections alive and minimising the impact of massive numbers of dynamic rules. I also feel that 300 seconds is too short (note that IPFilter uses 120 hours, which I think is far too long). My problem is that the connections are being dropped after less than net.inet.ip.fw.dyn_ack_lifetime seconds of idle time. I have tried juggling net.inet.tcp.keepidle, net.inet.tcp.keepintvl and net.inet.ip.fw.dyn_ack_lifetime so that the latter is longer than the former (in ipfw) and this still didn't work. It would appear that the dynamic rule timers are never being reset. >as to why your ssh connection stays alive even through the night - i >suspect that is because your ssh server on your firewall has a >configuration setting that makes it send keep-alives, i.e. your >clientaliveinterval in sshd_config is set to some value which is less >than your net.inet.ip.fw.dyn_ack_lifetime value. Nope. I'm using the default ClientAliveInterval value (ie disabled). Based on comments in another thread here, I suspect the underlying problem is that ipfw dynamic rules don't work with ipnat. (Though I don't understand why - ipnat should be invisible to ipfw). My ssh connectins remain working courtesy of either normal or ipfw2 keepalives (since that connection isn't NAT'd). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message