my rules only allow tcp out (host1 -> host2) connections:
allow tcp from me to any out setup keep-state
(me should denote host1)
But the nmap goes from host2 -> host1 which should be blocked by the
firewall
5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host
(i've made a mistake it should mean host1 instead of only host)
Thus it seems to be the old dynamic rule.
jerry
Am 16.10.2008 um 04:05 schrieb Roman Kurakin:
[EMAIL PROTECTED] wrote:
Hello together,
i have a strange phenomenon with dynamic rules. I am using Mac OS X
10..5.5 and have disabled keepalive-messages for dynamic rules:
net.inet.ip.fw.dyn_keepalive: 0
ruleset host1
...
check-state
allow tcp from me to any out setup keep-state
...
1.) host2: nc -k -l -p 1234
2.) host1: nc host2 1234
3.) dynamic rule with 300s gets created
4.) dynamic rule expired after 300s (ipfw -d show: rule is gone (it
shows with flag -e))
5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host
After 5) that expired rule appeared again with 300s timeout and the
firewall is again opened.
I would expect that an expired rule could not be reanimated. The
reactivation of expired rules seems to stop if after tcp fin from
both hosts are detected. Thus if the tcp disconnection was not
successfull there are some zombie rules which could be reanimated?!?
IMHO if the connection starts from over again it is a new
connection. It is not the old one
reanimated.
rik
(also with keepalive you could reproduce it: tcp rst -> then there
is no keepalive message and the dynamic rule expires but can be
reanimated with 5))
Jerry
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
