Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK
states
Kevin Oberman
kob6558 at gmail.com
Tue Apr 17 19:48:22 UTC 2012
On Tue, Apr 17, 2012 at 4:05 AM, Dmitry S. Kasterin <dmk.sbor at gmail.com> wrote:
> (Cross-posting this to net@ since there was no reply on ipfw at .)
>
> Hello!
>
> I have rather simple ipfw ruleset like this:
>
> 00001 allow all from any to any via lo0
>
> 00010 check-state
> 00101 allow tcp from me to any out setup keep-state
>
> 65533 deny log ip from any to any
> 65534 deny ip6 from any to any
>
> Actually, there are a few rules for upd, icmp and so on,
> but the main idea here is to allow only outgoing (tcp) connections
> and handle them using dynamic rules.
I feel hesitant about sending this as it looks like you may have found
a real problem with IPFW.
But I do have to ask why you find statefull rules for outgoing TCP
connections desirable? Why not:
00101 allow tcp from me to any established
It appears to do the same thing for TCP and is much faster to process
plus it does not leave you open to trivial DOS (often of yourself) by
filling the dynamic rule tables.
Generally, for client systems, stateful UDP makes sense, but I
generally don't understand why people choose the more complex, slower,
and potentially disruptive stateful rules for TCP.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6558 at gmail.com
More information about the freebsd-net
mailing list