Expiration of dynamic rules
Patrick Matters
patrick.matters at gmx.de
Thu Oct 16 14:18:53 UTC 2008
Hello,
a real life example:
ruleset host1
...
00100 0 0 check-state
00101 0 0 allow tcp from me to any out setup keep-state
...
sysctl
net.inet.ip.fw.dyn_keepalive: 1
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_rst_lifetime: 3
net.inet.ip.fw.dyn_fin_lifetime: 3
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.static_count: 24
net.inet.ip.fw.dyn_max: 4096
net.inet.ip.fw.dyn_count: 237
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.verbose: 2
net.inet.ip.fw.debug: 0
net.inet.ip.fw.one_pass: 0
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.enable: 1
tcpdump
11:57:12.452517 IP host1.port1 > host2.80: S 4285172461:4285172461(0)
win 65535 <mss 1460,nop,wscale 3,nop,nop,timestamp 225504674
0,sackOK,eol>
11:57:12.465820 IP host2.80 > host1.port1: S 4165668431:4165668431(0)
ack 4285172462 win 5672 <mss 1430,sackOK,timestamp 946103042
225504674,nop,wscale 6>
11:57:12.465951 IP host1.port1 > host2.80: . ack 1 win 65535
<nop,nop,timestamp 225504674 946103042>
... some tcp ack and tcp ack,psh
11:57:12.703599 IP host2.80 > host1.port1: P 6629:7198(569) ack 721
win 112 <nop,nop,timestamp 946103278 225504675>
11:57:12.703678 IP host1.port1 > host2.80: . ack 7198 win 65156
<nop,nop,timestamp 225504676 946103278>
11:57:22.700872 IP host2.80 > host1.port1: F 7198:7198(0) ack 721 win
112 <nop,nop,timestamp 946113277 225504676>
11:57:22.700997 IP host1.port1 > host2.80: . ack 7199 win 65535
<nop,nop,timestamp 225504776 946113277>
12:02:07.529664 IP host1.port1 > host2.80: . ack 7199 win 0
12:02:07.529786 IP host1.port1 > host2.80: . ack 7199 win 65535
<nop,nop,timestamp 225507620 946113277>
12:02:07.543323 IP host2.80 > host1.port1: R 4165675630:4165675630(0)
win 0
12:02:07.545776 IP host2.80 > host1.port1: R 4165675630:4165675630(0)
win 0
netstat
tcp4 0 0 host1.port1 host2.80 CLOSE_WAIT
CLOSE_WAIT means an established connection on host 1 receives a tcp
fin from host 2 and host 1 sends tcp ack to host2. Now host2 waits for
a tcp fin from host1
After tcp rst netstat shows no tcp socket with port1 anymore
'nmap -PN -n -S host2 -p port1 -e eth0 --source-port 80 --scanflags
ack host1' (it could be any tcp flag or combination of that)
The dynmaic rule reopens with timeout 3s and disappears after the
timeout. I guess only a tcp fin from host1 would stop the reappearing
of the dynamic rule.
jerry
Am 15.10.2008 um 23:43 schrieb to.dev.null at gmx.de:
> Hello together,
>
> i have a strange phenomenon with dynamic rules. I am using Mac OS X
> 10..5.5 and have disabled keepalive-messages for dynamic rules:
>
> net.inet.ip.fw.dyn_keepalive: 0
>
> ruleset host1
> ...
> check-state
> allow tcp from me to any out setup keep-state
> ...
>
> 1.) host2: nc -k -l -p 1234
> 2.) host1: nc host2 1234
> 3.) dynamic rule with 300s gets created
> 4.) dynamic rule expired after 300s (ipfw -d show: rule is gone (it
> shows with flag -e))
> 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host
>
> After 5) that expired rule appeared again with 300s timeout and the
> firewall is again opened.
>
> I would expect that an expired rule could not be reanimated. The
> reactivation of expired rules seems to stop if after tcp fin from
> both hosts are detected. Thus if the tcp disconnection was not
> successfull there are some zombie rules which could be reanimated?!?
>
> (also with keepalive you could reproduce it: tcp rst -> then there
> is no keepalive message and the dynamic rule expires but can be
> reanimated with 5))
>
> Jerry
>
>
> --
> GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
> Jetzt dabei sein: http://www.shortview.de/wasistshortview.php?mc=sv_ext_mf@gmx
>
More information about the freebsd-ipfw
mailing list