dynamic TCP rule lifetime is too short
mukden at yahoo.com
Tue Sep 21 19:25:22 PDT 2004
In ipfw2.c, if keep-alive option was turned off, once
a TCP (SYN,ACK) dynamic rule gets removed (UNLINK)
because it's lifetime has expired, subsequent TCP ACK
dynamic rule gets created with a very short timeout (1
sec). net.inet.ip.fw.dyn_rst_lifetime (default of 1
second) was used instead of
net.inet.ip.fw.dyn_ack_lifetime for the newly created
TCP ACK dynamic rule, as a result, the rule gets added
and removed (time expired) over and over again.
Here's the scenario:
turn off keep-alive via sysctl
allow tcp from any to any telnet keep-state
deny all from any to any
host1 telnet to host2
-- dynamic rule (300s) STATE tcp host1 <-> host2 was
wait after the 300s has lapsed, check dynamic rule
ipfw -dt list
dynamic rule tcp host1<->host2 is gone
type something from host1 telnet window
no new dynamic rule gets created, 'cuz it was added
and removed after 1 second.
Shouldn't net.inet.ip.fw.dyn_ack_lifetime be used
net.inet.ip.fw.dyn_rst_lifetime in when we update
q->expire in lookup_dyn_rule()?
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
More information about the freebsd-ipfw