On 25.10.2018 12:09, Ole wrote: > So do you think the bug is only related to 'setup' and not to 'keep-state' > rules? Or is this just a coincidence? > Im reloading rules now for 1h each minute, and a ssh connection is still > stable.
Hi, I think you do not quite understand how it works :) Dynamic states do not work automagically. In general words, you have two types of firewall rules - static and dynamic. Static rules are kept in an array and checked by firewall until some action will be applied, that will finish the search. Dynamic rules have special opcodes, that initiate the search in dynamic states. And if a packet doesn't have a match in these dynamic states, new dynamic state will be created for this packet. If some state matches a packet, then corresponding action will be applied for this packet. This is why usually "check-state" rule added to the beginning of rules. A packet will be checked first for match in dynamic states, and only then it will be checked by static rules. So, when you have many rules and states, doing `ipfw flush` will delete all static rules, but depending from keep_states sysctl variable, dynamic states can be kept or deleted. So, if you will do `ipfw -q flush` and do not add new dynamic rule, all dynamic states will expire after some time and will be deleted (regardless of the fact you have keep_states=1). But, when you are doing `flush` and then reload new rules, that have some dynamic rules (those that have "keep-state" or "limit" opcodes), this means that new rules will initiate the search in dynamic states, and for existing connection the state will be updated and because of this, the connection is still work. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature