Hello together, i have a strange phenomenon with dynamic rules. I am using Mac OS X 10..5.5 and have disabled keepalive-messages for dynamic rules:
net.inet.ip.fw.dyn_keepalive: 0 ruleset host1 ... check-state allow tcp from me to any out setup keep-state ... 1.) host2: nc -k -l -p 1234 2.) host1: nc host2 1234 3.) dynamic rule with 300s gets created 4.) dynamic rule expired after 300s (ipfw -d show: rule is gone (it shows with flag -e)) 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host After 5) that expired rule appeared again with 300s timeout and the firewall is again opened. I would expect that an expired rule could not be reanimated. The reactivation of expired rules seems to stop if after tcp fin from both hosts are detected. Thus if the tcp disconnection was not successfull there are some zombie rules which could be reanimated?!? (also with keepalive you could reproduce it: tcp rst -> then there is no keepalive message and the dynamic rule expires but can be reanimated with 5)) Jerry -- GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! Jetzt dabei sein: http://www.shortview.de/[EMAIL PROTECTED] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
