Date: Tue, 17 Apr 2012 12:48:21 -0700 From: Kevin Oberman <kob6558@gmail.com> To: "Dmitry S. Kasterin" <dmk.sbor@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states Message-ID: <CAN6yY1uRrfv0Bdeb%2Btosna8O8ajD_H1j7N=akL7PS8XC3X09qA@mail.gmail.com> In-Reply-To: <CAJkxAbyi7hx9Dugtw5-Md1y77JRzOu3bygS8ntfQg%2Bkw1KZ63w@mail.gmail.com> References: <CAJkxAbyMEYZ4pYu=z4Sfwdqtzh=PjhHE4qrbSsyL34YE9TnXZQ@mail.gmail.com> <CAJkxAbyi7hx9Dugtw5-Md1y77JRzOu3bygS8ntfQg%2Bkw1KZ63w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 17, 2012 at 4:05 AM, Dmitry S. Kasterin <dmk.sbor@gmail.com> wrote: > (Cross-posting this to net@ since there was no reply on ipfw@.) > > Hello! > > I have rather simple ipfw ruleset like this: > > 00001 allow all from any to any via lo0 > > 00010 check-state > 00101 allow tcp from me to any out setup keep-state > > 65533 deny log ip from any to any > 65534 deny ip6 from any to any > > Actually, there are a few rules for upd, icmp and so on, > but the main idea here is to allow only outgoing (tcp) connections > and handle them using dynamic rules. I feel hesitant about sending this as it looks like you may have found a real problem with IPFW. But I do have to ask why you find statefull rules for outgoing TCP connections desirable? Why not: 00101 allow tcp from me to any established It appears to do the same thing for TCP and is much faster to process plus it does not leave you open to trivial DOS (often of yourself) by filling the dynamic rule tables. Generally, for client systems, stateful UDP makes sense, but I generally don't understand why people choose the more complex, slower, and potentially disruptive stateful rules for TCP. -- R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1uRrfv0Bdeb%2Btosna8O8ajD_H1j7N=akL7PS8XC3X09qA>