Date: Thu, 16 Oct 2008 06:05:20 +0400 From: Roman Kurakin <rik@inse.ru> To: to.dev.null@gmx.de Cc: freebsd-ipfw@freebsd.org Subject: Re: Expiration of dynamic rules Message-ID: <48F6A160.901@localhost.inse.ru> In-Reply-To: <20081015214327.230570@gmx.net> References: <20081015214327.230570@gmx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
to.dev.null@gmx.de wrote: > Hello together, > > i have a strange phenomenon with dynamic rules. I am using Mac OS X 10..5.5 and have disabled keepalive-messages for dynamic rules: > > net.inet.ip.fw.dyn_keepalive: 0 > > ruleset host1 > ... > check-state > allow tcp from me to any out setup keep-state > ... > > 1.) host2: nc -k -l -p 1234 > 2.) host1: nc host2 1234 > 3.) dynamic rule with 300s gets created > 4.) dynamic rule expired after 300s (ipfw -d show: rule is gone (it shows with flag -e)) > 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host > > After 5) that expired rule appeared again with 300s timeout and the firewall is again opened. > > I would expect that an expired rule could not be reanimated. The reactivation of expired rules seems to stop if after tcp fin from both hosts are detected. Thus if the tcp disconnection was not successfull there are some zombie rules which could be reanimated?!? > IMHO if the connection starts from over again it is a new connection. It is not the old one reanimated. rik > (also with keepalive you could reproduce it: tcp rst -> then there is no keepalive message and the dynamic rule expires but can be reanimated with 5)) > > Jerry > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48F6A160.901>