Understanding ipfw keep-state dynamic rules
Luigi Rizzo
rizzo at icir.org
Sun Apr 15 21:56:23 UTC 2007
On Sun, Apr 15, 2007 at 10:18:36PM +0200, Ivan Voras wrote:
> On a rule:
>
> 06080 40997628 30756672556 allow tcp from any to me dst-port 80 setup
> keep-state
>
> ipfw -d show lists:
>
> ## Dynamic rules (774):
> 06080 948 38731 (108s) STATE tcp xx.172.115.202 1421 <->
> my.ip.add.r 80
> 06080 985 42716 (83s) STATE tcp xx.67.223.104 1071 <->
> my.ip.add.r 80
...
> This is on a busy, but fast and fat-piped web server.
>
> Do the numbers in parentheses mean seconds the rule is active? The
> numbers seem very high, much higher that they should be (keepalive is
> active but the timeout is kept under 5 seconds, and the pages & files
> are mostly small).
yes the numbers should be the expire time for the rule.
ipfw has a default timeout of 300, and the it only uses the
"short" lifetimes when the remote end properly closes the
connection with a FIN. If it doesn't, then the firewall
cannot put a short timeout because the other endpoint
could in principle want to send more data on the connection
and we need to let it through.
check the values of these sysctl variables
net.inet.ip.fw.dyn_keepalive: 1
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_ack_lifetime: 300
you normally end up using dyn_ack_lifetime for TCP session
cheers
luigi
More information about the freebsd-net
mailing list