Date: Sun, 30 Jul 2000 18:53:09 -0400 From: Bill Fumerola <billf@chimesnet.com> To: stephen@math.missouri.edu Cc: "Jonathan M. Bresler" <jmb@hub.freebsd.org>, freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules Message-ID: <20000730185309.W5021@jade.chc-chimes.com> In-Reply-To: <3984AB32.53B8D793@math.missouri.edu>; from stephen@math.missouri.edu on Sun, Jul 30, 2000 at 05:24:50PM -0500 References: <20000730194202.447F937B6C1@hub.freebsd.org> <3984AB32.53B8D793@math.missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 30, 2000 at 05:24:50PM -0500, stephen@math.missouri.edu wrote:
> Actually, I'm becoming dissatisfied with the concept of dynamic
> rules using ipfw. I have gone back to static rules. I am only
> a home computer, and I don't need anything complicated. If I
> ever need dynamic rules, I will learn ipfilter and see how that
> does.
I fear the dynamic rule code, or I'd attempt to figure it all out
and come up with something better, but:
> Now wait five minutes and the dynamic rule times out, and it stops
> working. Well, that is OK I suppose - you shouldn't have left it so long.
[boa.internal-billf 18:52:25]
< /home/billf > sysctl -a |grep dyn
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 0
net.inet.ip.fw.dyn_max: 1000
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 20
net.inet.ip.fw.dyn_rst_lifetime: 5
... it is a controllable behavior.
--
Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
billf@chimesnet.com / billf@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000730185309.W5021>