Re: ipfw and state expiration - Dennis Glatting - org.freebsd.freebsd-current

2 messages in org.freebsd.freebsd-currentRe: ipfw and state expiration

From	Sent On	Attachments
Dennis Glatting	Oct 10, 2000 7:43 pm
Dennis Glatting	Oct 10, 2000 7:50 pm

Subject:	Re: ipfw and state expiration
From:	Dennis Glatting (denn...@software-munitions.com)
Date:	Oct 10, 2000 7:50:46 pm
List:	org.freebsd.freebsd-current

Just to follow up. It seems TCP states are expired but UDP states are not.

I am using IPFW with the keep-state primitive on DNS and NTP queries (e.g., [1]). I've noticed, however, the number of dynamic rules only increase -- there appears to be no pruning of the dynamic rules. Looking through the code I only see a call to prune dynamic rules (via remove_dyn_rule()) when the number of rules exceed some maximum, rather at some time interval to insure dynamic rules are short lived.

Is this indeed the case? Aren't dynamic rules suppose to be short lived? Did I not configure something improperly?

[1] $fwcmd add allow udp from any to ${wip} 53 via ${wif} keep-state

To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets