IP Filter state time outs

Tue, 03 Nov 2009 03:46:44 -0800 

Hi,

I'm currently building a FreeBSD 7.2 IPFilter based firewall/nat/proxy and I've 
run into a few niggles which I can't find any documentation on.

I have a simple inbound rule for SSH for which I would like to limit to a 
single connection at a time. So I use the limit command to only allow 1 entry 
in the state table.

pass in quick on sk1 proto tcp from any to any port = 22 flags S keep state 
(limit 1)

Which seems to work fine. However once I log out of the SSH session the state 
remains in the table for another 8 minutes preventing further connections.

icemark# ipfstat -sl

195.153.0.189 -> icemark pass 0x40008502 pr 6 state 10/8
        tag 0 ttl 476
        6152 -> 22 82c4511f:f9fec58a 1072<<3:1072<<3
        cmsk 0000 smsk 0000 s0 82c44966/f9feb6e1
        FWD:ISN inc 0 sumd 0
        REV:ISN inc 0 sumd 0
        forward: pkts in 22 bytes in 3128 pkts out 0 bytes out 0
        backward: pkts in 0 bytes in 0 pkts out 21 bytes out 4852
        pass in quick keep state        IPv4
        pkt_flags & 0(10000) = 1000,            pkt_options & ffffffff = 0, 
ffffffff = 0 
        pkt_security & ffff = 0, pkt_auth & ffff = 0
        is_flx 0x1 0 0 0x1
        interfaces: in X[sk1],X[] out X[],X[sk1]
        Sync status: not synchronized

Looking at the state upon close seems to indicate the connection is in 
TCPS_CLOSE_WAIT / TCPS_LAST_ACK. So I thought I'd adjust the tuneables in 
ipfilter to reduce the tcpclosewait timeout count from 480 to 30. Which I did 
with the following command -

icemark# ipf -D -T fr_tcpclosewait=30 -E -f /etc/ipf.rules
icemark# ipf -T list | grep fr_tcpclosewait
fr_tcpclosewait min 0x1 max 0x7fffffff  current 30

This however made no difference to the ttl value of the closed SSH connection. 
Confused, I checked the tuneables and the only other entry with a 480 count was 
fr_tcptimeout. Again I set this to 30.

icemark# ipf -D -T fr_tcpclosewait=30 -T fr_tcptimeout=30 -E -f /etc/ipf.rules
icemark# ipf -T list | grep fr_tcp
fr_tcpidletimeout       min 0x1 max 0x7fffffff  current 864000
fr_tcpclosewait min 0x1 max 0x7fffffff  current 30
fr_tcplastack   min 0x1 max 0x7fffffff  current 60
fr_tcptimeout   min 0x1 max 0x7fffffff  current 30
fr_tcpclosed    min 0x1 max 0x7fffffff  current 60
fr_tcphalfclosed        min 0x1 max 0x7fffffff  current 14400

However as before once I terminated the SSH session the ttl counter was set to 
480.

Is there another set of values I should be looking for? Am I even attempting to 
solve the right problem? Is there a better way of limiting the number of 
simultaneous inbound connections to a service?

Thanks,

Spooky

Reply via email to