Date: Thu, 19 Jul 2001 14:20:37 -0700 From: Sean Chittenden <sean-freebsd-security@chittenden.org> To: security@FreeBSD.ORG Subject: Possible limitations of ipfw dynamic rules/state (was: Re: Fw: Re: A question about FreeBSD security) Message-ID: <20010719142036.K92387@rand.tgd.net> In-Reply-To: <xzpsnfsmy7d.fsf@flood.ping.uio.no>; from "des@ofug.org" on Thu, Jul 19, 2001 at = 11:00:06PM References: <Pine.BSF.4.21.0107191119130.346-100000@mohegan.mohawk.net> <xzpsnfsmy7d.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
--EOHJn1TVIJfeVXv2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
> Both. It all depends on how you set up your rule set - you can do
>=20
> # ipfw add pass tcp from any to me 22 in setup
> # ipfw add pass tcp from me 22 to any out tcpflags syn,ack keep-state
>=20
> instead of
>=20
> # ipfw add pass tcp from any to me 22 in setup keep-state
Two quick points:
1) ipf does clean up its state table on a FIN packet from a TCP stream. =20
=46rom the following excerpt from the man page, I'm not sure if ipfw has
this functionality at the moment. Does it decrease the lifetime, or
does it expire the rule?
Taken from ipfw(8):
net.inet.ip.fw.dyn_short_lifetime: 30
These variables control the lifetime, in seconds, of dynamic
rules. Upon the initial SYN exchange the lifetime is kept sho=
rt,
then increased after both SYN have been seen, then decreased
again during the final FIN exchange or when a RST
2) Last I heard there were performance concerns regarding a large number
of connections because each rule is checked for every packet... which
means, unless there have been some optimizations that I'm not aware of
(entirely possible), that every IP gets tested against possibly several
thousand rules before it either gets processed (denied or accepted).
Taken from ipfw(8):
A check-state rule should be usually placed near the beginning of
the ruleset to minimize the amount of work scanning the ruleset. =20
Your mileage may vary.
BEWARE: stateful rules can be subject to denial-of-service attacks by a
SYN-flood which opens a huge number of dynamic rules. The effects of
such attacks can be partially limited by acting on a set of sysctl(8)
variables which control the operation of the firewall.
[snip]
net.inet.ip.fw.dyn_max: 1000
Maximum number of dynamic rules. When you hit this limit, no
more dynamic rules can be installed until old ones expire.
If I'm operating with old knowledge I'd love to know and I'll
move all of my systems back to ipfw (from ipf), but I don't think I'm
far from the truth (if at all). -sc
--=20
Sean Chittenden
--EOHJn1TVIJfeVXv2
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Comment: Sean Chittenden <sean@chittenden.org>
iEYEARECAAYFAjtXTyQACgkQn09c7x7d+q2xPwCgmRULqV1UMWqNyoQv9lm3iIsJ
qB8AoKFKDte0D4hW+sFf/RQCe3qTxu7i
=clua
-----END PGP SIGNATURE-----
--EOHJn1TVIJfeVXv2--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010719142036.K92387>