IPFW | Too many dynamic rules?

Kevin Oberman rkoberman at gmail.com
Mon Jan 25 06:08:07 UTC 2021


On Sun, Jan 24, 2021 at 3:08 AM Jos Chrispijn <bsduser at cloudzeeland.nl>
wrote:

> Thanks for your help, Michael.
>
> Knowing so little about ipfw, I think it will be time to raise my
> learning curve on it. Can you hint me where I can get more information
> on nub level? Especially the remark Michael made
>
> "The lifetime of dynamic rules is, by default, way too long."
>
> intriques me. What is the exact result shortening them? Do I undermine
> ipfw protection by giving it too less or too much time to check incoming
> requests?
>
> Best, Jos
>
> Op 22-1-21 om 1:58 schreef Michael Sierchio:
> >
> > Vell succes!
> >
> Dank je!
> ___
>
No, you don't undermine security. You enhance it a tiny bit, but
significantly.

A stateful firewall works by creating a temporary rule allowing traffic
that would be rejected. Simple example is a DNS query. It is sent out and,
in typical ipfw setups, outgoing UDP packets create a dynamic entry to
allow for the reply. To make dynamic rules work efficiently, space is
reserved for the maximum  number of concurrent dynamic rules that are to be
allowed. Unless there is further traffic for a given rule, a dynamic rule
is deleted after a preset lifetime.

You can look at all ipfw dynamic parameters with 'sysctl net.inet.ip.fw |
grep dyn_'. You can get the description of a sysctl with the "sysctl -d
OID".

The default lifetimes are long for the "modern" Internet. The most
significant one is probably dyn_udp_lifetime. It would be unusual for it to
take anywhere near the default 30 seconds to get a response, but setting it
too short will result in failures. Shortening it will clear out old entries
more quickly and reduce the chance of running out of space for dynamic
rules.

A number of years ago, one of the developers wrote a code that sent out UDP
packets to a large number of remote systems. A very short time later it did
the same thing, but from new sockets. That meant a whole new set of dynamic
rules was created every second and sat there for 30 seconds. This quickly
filled the available space and replies to further queries were blocked. Not
just for his program, but for the whole system. Oops!
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman at gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683


More information about the freebsd-questions mailing list