Re: IP Filter state time outs

Mon, 09 Nov 2009 04:09:28 -0800 

Darren,

Thanks for your reply.
 
> The TTL is expressed in terms of ipfilter ticks.
> There are two ticks for every second, so 480 is 240 seconds or 4 minutes.
> In terms of TCP, this is 2*TCP_MSL (TCP_MSL = 120 seconds)

Absolutely, this is stupidity entirely caused by my impatience. I noticed a 
delay, it was longer than desired and therefore I wrong assumed the TTL was 
seconds. Sorry.

> I'm really quite puzzled by this...

Hopefully you mean by my problem and not my hamfisted attempt at a question ;)

I threw together another test machine this morning on the off chance that it 
was some other sysctl settings that I had entered that were throwing it off. 
The new machine is a clean install of FreeBSD 7.2 Release, it's running IP 
Filter v4.1.24 (404). 

The test rule set is :-

pass in quick on lo0 all
pass out quick on lo0 all
pass out quick on rl0 all keep state
pass in quick on rl0 proto tcp from any to 10.0.0.13 port = 22 flags S keep 
state (limit 1)
block return-rst in all

test# ipf -T list | grep tcp
fr_tcpidletimeout       min 0x1 max 0x7fffffff  current 864000
fr_tcpclosewait min 0x1 max 0x7fffffff  current 480
fr_tcplastack   min 0x1 max 0x7fffffff  current 60
fr_tcptimeout   min 0x1 max 0x7fffffff  current 480
fr_tcpclosed    min 0x1 max 0x7fffffff  current 60
fr_tcphalfclosed        min 0x1 max 0x7fffffff  current 14400

test# ipf -D -T fr_tcpclosewait=30 -T fr_tcptimeout=30 -E -f /etc/ipf.rules
test# ipf -T list | grep fr_tcp
fr_tcpidletimeout       min 0x1 max 0x7fffffff  current 864000
fr_tcpclosewait min 0x1 max 0x7fffffff  current 30
fr_tcplastack   min 0x1 max 0x7fffffff  current 60
fr_tcptimeout   min 0x1 max 0x7fffffff  current 30
fr_tcpclosed    min 0x1 max 0x7fffffff  current 60
fr_tcphalfclosed        min 0x1 max 0x7fffffff  current 14400

After connecting an SSH session and typing a few innocuous commands I 
disconnected.

test# ipfstat -sl
10.0.0.1 -> 10.0.0.13 pass 0x40008502 pr 6 state 10/8
        tag 0 ttl 447
        51738 -> 22 28d82bd7:4165173c 49640<<0:160<<3
        cmsk 0000 smsk 0000 s0 28d82582/416507e3
        FWD:ISN inc 0 sumd 0
        REV:ISN inc 0 sumd 0
        forward: pkts in 25 bytes in 2632 pkts out 0 bytes out 0
        backward: pkts in 0 bytes in 0 pkts out 21 bytes out 4780
        pass in quick keep state        IPv4
        pkt_flags & 0(10000) = 1000,            pkt_options & ffffffff = 0, 
ffffffff = 0 
        pkt_security & ffff = 0, pkt_auth & ffff = 0
        is_flx 0x1 0 0 0x1
        interfaces: in X[rl0],X[] out X[],X[rl0]
        Sync status: not synchronized

As you can see the TTL is counting down from 480 as per the other machine.

I have some Solaris 10 boxes kicking around so I can try the same version on 
there. I assume it could be a FreeBSD only issue?

Thanks,

Spooky

Reply via email to