ipfw and statefull rules
on at cs.ait.ac.th
Wed May 28 03:51:05 PDT 2003
I am trying to install a standalone firewall between my LAN and my
router to outside world. Machine is a Pentium 4, 1.5 GHx, 128MB ram, 2
ethernet 3com 905B without IP defined (and one cheap ethernet card to
allow to monitor the machine).
Bridge and ipfw2 are enabled.
I'd like to have all the traffic going through statefull rules, with
some restrictions on the incoming traffic that should only go to the
servers, but quite open outgoing traffic from the clients (my clients
and servers are on the same LAN).
Statefull rules for incoming traffic to the servers are OK.
But when I set-up a statefull rule for the client outgoing traffic, the
39980 allow tcp from any to any setup keep-state
39990 allow udp from any to any keep-state
That should do it (icmp is treaded somewhere else).
I see the number of dynamic rules increasing to some unlimited end,
after a couple of hours of running:
firewall<root>127: sysctl net.inet.ip.fw.dyn_count
and it continue to increase. It will not decrease event at night time
when there is nobody around.
In another hand, if I list the dynamic rules with ipfw -d list, I see
only few hundred of them (about 10% of the above) and this number is
fluctuating normally depending of the traffic.
firewall<root>125: ipfw -d list | grep "<->" | wc -l
I don't understand why the numbers are different.
Also after a while net.inet.ip.fw.dyn_count will reach a sort of
maximum (way lower that the defined maximum) and the firewall will not
deliver any traffic.
firewall<root>50: sysctl -a |grep ip.fw
FreeBSD firewall.cs.ait.ac.th 4.8-RELEASE FreeBSD 4.8-RELEASE #4: Wed May 28 17:32:21 ICT 2003 root at firewall.cs.ait.ac.th:/usr/src/sys/compile/SMALL i386
More information about the freebsd-questions