Date: Thu, 18 Oct 2001 11:07:06 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: "Drew Tomlinson" <drew@mykitchentable.net> Cc: cjclark@alum.mit.edu, Mark.Andrews@isc.org, freebsd-security@FreeBSD.ORG Subject: Re: Dynamic IPFW Rules Message-ID: <200110181807.f9II7nu26564@cwsys.cwsent.com> In-Reply-To: Your message of "Thu, 18 Oct 2001 09:44:09 PDT." <008201c157f4$1c0c7620$cd2a6ba5@lc.ca.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <008201c157f4$1c0c7620$cd2a6ba5@lc.ca.gov>, "Drew Tomlinson"
writes:
> ----- Original Message -----
> From: "Crist J. Clark" <cristjc@earthlink.net>
> To: "Drew Tomlinson" <drew@mykitchentable.net>
> Cc: <Mark.Andrews@isc.org>; <freebsd-security@FreeBSD.ORG>
> Sent: Thursday, October 18, 2001 1:38 AM
> Subject: Re: Dynamic IPFW Rules
>
>
> > On Wed, Oct 17, 2001 at 06:49:21PM -0700, Drew Tomlinson wrote:
> > > ----- Original Message -----
> > > From: <Mark.Andrews@isc.org>
> > > To: "Drew Tomlinson" <drew@mykitchentable.net>
> > > Cc: <freebsd-security@freebsd.org>
> > > Sent: Wednesday, October 17, 2001 4:50 PM
> > > Subject: Re: Dynamic IPFW Rules
> > >
> > >
> > > >
> > > > > I have created my first firewall and it seems to be handling
> > > traffic
> > > > > properly (yayyyy!). However, I have noticed that my dynamic
> rules
> > > don't
> > > > > ever seem to expire.
> > > >
> > > > [snip]
> > > >
> > > > > 02100 1 60 (T 0, # 0) ty 0 tcp, 192.168.1.4 3139 <->
> 64.21.143.23
> > > 80
> > > >
> > > > This is expired (T 0), just not removed.
> > >
> > > OK, thanks. Is there a way to remove those rules that have expired?
> >
> > You can remove the parent rule. IIRC, they get removed if they get
> > hit. If you reach the limit, I believe it starts to overwrite expired
> > rules. I would have to look at the code more closely to remember.
> >
> > Another option is to make a shell script or alias that drops expired
> > rules,
> >
> > ipfw show | awk -F'[ ,]' '$5 != 0 { print }'
> >
> > Does it. I have a longer script that does this and also prints rules
> > by interface,
>
> OK so if I understand correctly, the rules stay in ipfw show even when
> expired until net.inet.ip.fw.dyn_max is reached. Then new rules
> overwrite expired rules, correct? So then my firewall is working
> correctly based on code for 4.4-RELEASE but there is new code
> in -CURRENT that will be merged into the -STABLE branch sometime in the
> future that will remove the expired rules from the output of ipfw show?
>
> And one more question: Where would I have found information on the
> output of the dynamic rules? In other words, how would (should) I have
> known that (T 0) was an expired rule?
>
> Thank you for the explaination. I really enjoy *understanding* why
> things work the way they do instead of just accepting that they work.
As expired dynamic rules are as if they were not there, why even list
them in the first place?
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD
Ministry of Management Services
Province of BC
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110181807.f9II7nu26564>