Dynamic Rule Corpses of IPFW 2
Intron
mag at intron.ac
Thu Aug 3 15:42:41 UTC 2006
I've set up a stateful IPFW rule to resist DoS attach. The rule is
allow tcp from any to me tcpflags syn limit src-addr 10
But I found that there're many corpses in dynamic rules, which may
resist normal accesses. There isn't correspondence between those
corpses and existing TCP connections.
How to deal with those impedient corpses?
#ipfw -d show | grep myclient ; netstat -an | grep myclient
10010 4 192 (111s) LIMIT tcp myclient 50719 <-> myserver 443
10010 4 192 (80s) LIMIT tcp myclient 50700 <-> myserver 443
10010 4 192 (124s) LIMIT tcp myclient 50743 <-> myserver 443
10010 4 192 (119s) LIMIT tcp myclient 50735 <-> myserver 443
10010 3570 544131 (300s) LIMIT tcp myclient 50828 <-> myserver 22
10010 0 0 (3s) PARENT 10 tcp myclient 0 <-> 0.0.0.0 0
10010 4 192 (44s) LIMIT tcp myclient 50617 <-> myserver 443
10010 4 192 (59s) LIMIT tcp myclient 50652 <-> myserver 443
10010 4 192 (59s) LIMIT tcp myclient 50650 <-> myserver 443
10010 4 192 (57s) LIMIT tcp myclient 50645 <-> myserver 443
10010 2 96 (300s) LIMIT tcp myclient 50890 <-> myserver 443
tcp4 0 0 myserver.443 myclient.50817 TIME_WAIT
tcp4 0 0 myserver.443 myclient.50815 TIME_WAIT
tcp4 0 0 myserver.443 myclient.50813 TIME_WAIT
tcp4 0 0 myserver.443 myclient.50809 TIME_WAIT
tcp4 0 146 myserver.443 myclient.50706 ESTABLISHED
tcp4 0 146 myserver.443 myclient.50688 ESTABLISHED
tcp4 0 146 myserver.443 myclient.50679 ESTABLISHED
tcp4 0 0 myserver.443 myclient.50668 ESTABLISHED
tcp4 0 0 myserver.443 myclient.50618 ESTABLISHED
tcp4 0 0 myserver.443 myclient.50611 ESTABLISHED
tcp4 0 146 myserver.443 myclient.50493 FIN_WAIT_1
tcp4 0 146 myserver.443 myclient.50026 FIN_WAIT_1
tcp4 0 0 myserver.22 myclient.50828 ESTABLISHED
------------------------------------------------------------------------
From Beijing, China
More information about the freebsd-net
mailing list