Hello,
a real life example:
ruleset host1
...
00100 0 0 check-state
00101 0 0 allow tcp from me to any out setup keep-state
...
sysctl
net.inet.ip.fw.dyn_keepalive: 1
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_rst_lifetime: 3
net.inet.ip.fw.dyn_fin_lifetime: 3
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.static_count: 24
net.inet.ip.fw.dyn_max: 4096
net.inet.ip.fw.dyn_count: 237
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.verbose: 2
net.inet.ip.fw.debug: 0
net.inet.ip.fw.one_pass: 0
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.enable: 1
tcpdump
11:57:12.452517 IP host1.port1 > host2.80: S 4285172461:4285172461(0)
win 65535 <mss 1460,nop,wscale 3,nop,nop,timestamp 225504674
0,sackOK,eol>
11:57:12.465820 IP host2.80 > host1.port1: S 4165668431:4165668431(0)
ack 4285172462 win 5672 <mss 1430,sackOK,timestamp 946103042
225504674,nop,wscale 6>
11:57:12.465951 IP host1.port1 > host2.80: . ack 1 win 65535
<nop,nop,timestamp 225504674 946103042>
... some tcp ack and tcp ack,psh
11:57:12.703599 IP host2.80 > host1.port1: P 6629:7198(569) ack 721
win 112 <nop,nop,timestamp 946103278 225504675>
11:57:12.703678 IP host1.port1 > host2.80: . ack 7198 win 65156
<nop,nop,timestamp 225504676 946103278>
11:57:22.700872 IP host2.80 > host1.port1: F 7198:7198(0) ack 721 win
112 <nop,nop,timestamp 946113277 225504676>
11:57:22.700997 IP host1.port1 > host2.80: . ack 7199 win 65535
<nop,nop,timestamp 225504776 946113277>
12:02:07.529664 IP host1.port1 > host2.80: . ack 7199 win 0
12:02:07.529786 IP host1.port1 > host2.80: . ack 7199 win 65535
<nop,nop,timestamp 225507620 946113277>
12:02:07.543323 IP host2.80 > host1.port1: R 4165675630:4165675630(0)
win 0
12:02:07.545776 IP host2.80 > host1.port1: R 4165675630:4165675630(0)
win 0
netstat
tcp4 0 0 host1.port1 host2.80 CLOSE_WAIT
CLOSE_WAIT means an established connection on host 1 receives a tcp
fin from host 2 and host 1 sends tcp ack to host2. Now host2 waits for
a tcp fin from host1
After tcp rst netstat shows no tcp socket with port1 anymore
'nmap -PN -n -S host2 -p port1 -e eth0 --source-port 80 --scanflags
ack host1' (it could be any tcp flag or combination of that)
The dynmaic rule reopens with timeout 3s and disappears after the
timeout. I guess only a tcp fin from host1 would stop the reappearing
of the dynamic rule.
jerry
Am 15.10.2008 um 23:43 schrieb [EMAIL PROTECTED]:
Hello together,
i have a strange phenomenon with dynamic rules. I am using Mac OS X
10..5.5 and have disabled keepalive-messages for dynamic rules:
net.inet.ip.fw.dyn_keepalive: 0
ruleset host1
...
check-state
allow tcp from me to any out setup keep-state
...
1.) host2: nc -k -l -p 1234
2.) host1: nc host2 1234
3.) dynamic rule with 300s gets created
4.) dynamic rule expired after 300s (ipfw -d show: rule is gone (it
shows with flag -e))
5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host
After 5) that expired rule appeared again with 300s timeout and the
firewall is again opened.
I would expect that an expired rule could not be reanimated. The
reactivation of expired rules seems to stop if after tcp fin from
both hosts are detected. Thus if the tcp disconnection was not
successfull there are some zombie rules which could be reanimated?!?
(also with keepalive you could reproduce it: tcp rst -> then there
is no keepalive message and the dynamic rule expires but can be
reanimated with 5))
Jerry
--
GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
Jetzt dabei sein: http://www.shortview.de/[EMAIL PROTECTED]
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
