Questions about ipfw's dynamic rules' dyn_keepalive

Andrea Venturoli ml at netfence.it
Tue Apr 3 10:15:40 UTC 2018 

Hello.

I'm trying to find out how dyn_keepalive works.

 From ipfw(8):
>      net.inet.ip.fw.dyn_keepalive: 1
>              Enables generation of keepalive packets for keep-state rules on
>              TCP sessions.  A keepalive is generated to both sides of the con-
>              nection every 5 seconds for the last 20 seconds of the lifetime
>              of the rule.
> ...
> ... For TCP sessions, dynamic rules can be
>      instructed to periodically send keepalive packets to refresh the state of
>      the rule when it is about to expire.

So I made some tests on a 11.1 router.
I made sure net.inet.ip.fw.dyn_keepalive=1 (which is the default, BTW), 
activated some rules and made some tests with tcpdump to see if 
keep-alives were sent.





Test 1: connection to the router itself

I added this rule on the router:

> ipfw add 99 allow tcp from any to me http setup keep-state

Then, from another box (FreeBSD client without ipfw or other firewall) I 
issued:
telnet router 80

I watched the dynamic rule being created, then waited 4.5 minutes and 
saw the keep-alive packets flowing and the rule timer get back to 
{net.inet.ip.fw.dyn_ack_lifetime} before reaching 0.

The connection would still work after several minutes.



Test 2: connection through the router

> ipfw add 99 allow tcp from any to external-host http setup keep-state

Then, from the same box as before I issued:
telnet external-host 80
(external-host is is also FreeBSD with ipfw stateful rules).

The result is the same as in test 1 (i.e. the connection will persist).



Test 3: let's introduce NAT

> ipfw add 99 skipto 10000 tcp from any to external-host http setup keep-state

(skipto 10000 is used to allow nat rules).
With the same external host as before, now the rule times out!



Test 4: fwd to a jail on the router itself

> ipfw add 99 fwd 127.0.2.1 tcp from any to me http setup keep-state

telnet router 80

Again I see the keep-alive packets flowing and the connection will persist.



Test 5: fwd to a jail on the router itself but using a different IP

> ipfw add 99 fwd 127.0.2.1 tcp from any to x.y.z.w http setup keep-state

telnet x.y.z.w 80

This time no keep-alives and the rule times out.





I tried reasoning on this, but could not come up with an explanation.

Can anybody give any hint about the above behaviours or point me to good 
documentation? The man pages is very brief on this, unfortunately.

  bye & Thanks
	av.

More information about the freebsd-net mailing list