-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Spooky wrote:
| ...
| I have a simple inbound rule for SSH for which I would like to limit
to a single connection at a time. So I use the limit command to only
allow 1 entry in the state table.
|
| pass in quick on sk1 proto tcp from any to any port = 22 flags S keep
state (limit 1)
|
| Which seems to work fine. However once I log out of the SSH session
the state remains in the table for another 8 minutes preventing further
connections.
|
| icemark# ipfstat -sl
|
| 195.153.0.189 -> icemark pass 0x40008502 pr 6 state 10/8
| tag 0 ttl 476
| 6152 -> 22 82c4511f:f9fec58a 1072<<3:1072<<3
| cmsk 0000 smsk 0000 s0 82c44966/f9feb6e1
| FWD:ISN inc 0 sumd 0
| REV:ISN inc 0 sumd 0
| forward: pkts in 22 bytes in 3128 pkts out 0 bytes out 0
| backward: pkts in 0 bytes in 0 pkts out 21 bytes out 4852
| pass in quick keep state IPv4
| pkt_flags & 0(10000) = 1000, pkt_options & ffffffff
= 0, ffffffff = 0
| pkt_security & ffff = 0, pkt_auth & ffff = 0
| is_flx 0x1 0 0 0x1
| interfaces: in X[sk1],X[] out X[],X[sk1]
| Sync status: not synchronized
|
| Looking at the state upon close seems to indicate the connection is in
TCPS_CLOSE_WAIT / TCPS_LAST_ACK. So I thought I'd adjust the tuneables
in ipfilter to reduce the tcpclosewait timeout count from 480 to 30.
The TTL is expressed in terms of ipfilter ticks.
There are two ticks for every second, so 480 is 240 seconds or 4 minutes.
In terms of TCP, this is 2*TCP_MSL (TCP_MSL = 120 seconds)
| Which I did with the following command -
|
| icemark# ipf -D -T fr_tcpclosewait=30 -E -f /etc/ipf.rules
| icemark# ipf -T list | grep fr_tcpclosewait
| fr_tcpclosewait min 0x1 max 0x7fffffff current 30
|
| This however made no difference to the ttl value of the closed SSH
connection. Confused, I checked the tuneables and the only other entry
with a 480 count was fr_tcptimeout. Again I set this to 30.
|
| icemark# ipf -D -T fr_tcpclosewait=30 -T fr_tcptimeout=30 -E -f
/etc/ipf.rules
| icemark# ipf -T list | grep fr_tcp
| fr_tcpidletimeout min 0x1 max 0x7fffffff current 864000
| fr_tcpclosewait min 0x1 max 0x7fffffff current 30
| fr_tcplastack min 0x1 max 0x7fffffff current 60
| fr_tcptimeout min 0x1 max 0x7fffffff current 30
| fr_tcpclosed min 0x1 max 0x7fffffff current 60
| fr_tcphalfclosed min 0x1 max 0x7fffffff current 14400
|
| However as before once I terminated the SSH session the ttl counter
was set to 480.
|
| Is there another set of values I should be looking for? Am I even
attempting to solve the right problem? Is there a better way of limiting
the number of simultaneous inbound connections to a service?
I'm really quite puzzled by this...
Darren
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkr3QLkACgkQP7JIXtvLbFXtNACg0m6OCYr8FdXwL8h5GkFh9w/Z
gnIAn1HytI8JD8k5nNcM9SEXGHONQITe
=2EYh
-----END PGP SIGNATURE-----
