Expiration of dynamic rules
Jerry
to.dev.null at gmx.de
Thu Oct 16 08:08:09 UTC 2008
my rules only allow tcp out (host1 -> host2) connections:
>> allow tcp from me to any out setup keep-state
(me should denote host1)
But the nmap goes from host2 -> host1 which should be blocked by the
firewall
>> 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host
(i've made a mistake it should mean host1 instead of only host)
Thus it seems to be the old dynamic rule.
jerry
Am 16.10.2008 um 04:05 schrieb Roman Kurakin:
> to.dev.null at gmx.de wrote:
>> Hello together,
>>
>> i have a strange phenomenon with dynamic rules. I am using Mac OS X
>> 10..5.5 and have disabled keepalive-messages for dynamic rules:
>>
>> net.inet.ip.fw.dyn_keepalive: 0
>>
>> ruleset host1
>> ...
>> check-state
>> allow tcp from me to any out setup keep-state
>> ...
>>
>> 1.) host2: nc -k -l -p 1234
>> 2.) host1: nc host2 1234
>> 3.) dynamic rule with 300s gets created
>> 4.) dynamic rule expired after 300s (ipfw -d show: rule is gone (it
>> shows with flag -e))
>> 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host
>>
>> After 5) that expired rule appeared again with 300s timeout and the
>> firewall is again opened.
>>
>> I would expect that an expired rule could not be reanimated. The
>> reactivation of expired rules seems to stop if after tcp fin from
>> both hosts are detected. Thus if the tcp disconnection was not
>> successfull there are some zombie rules which could be reanimated?!?
>>
> IMHO if the connection starts from over again it is a new
> connection. It is not the old one
> reanimated.
>
> rik
>> (also with keepalive you could reproduce it: tcp rst -> then there
>> is no keepalive message and the dynamic rule expires but can be
>> reanimated with 5))
>>
>> Jerry
>>
>>
>>
>
More information about the freebsd-ipfw
mailing list