ipfw keep-state

[Juraj Belák]

Princip pravidiel mi je jasny.
V man stranke sa pise:

"Dynamic rules expire after some time, which depends on the status of the
flow and the setting of some sysctl variables.  See Section SYSCTL
VARIABLES for more details.  For TCP sessions, dynamic rules can be
instructed to periodically send keepalive packets to refresh the state of
the rule when it is about to expire."

Nie je mi jasny zmysel "expire after SOME TIME, which depends on the 
STATUS OF FLOW"
Podla coho (a ci vobec) treba menit default hodnotu 
/net.inet.ip.dummynet.hash_size 64.

Dalsia vec, v ktorej nemam jasno je "...periodically send keepalive 
packets to refresh the state..."

Mam z toho dojem, ze pri dynamickych rules vznika traffic "naviac".
Preto by som rad vedel, cim je (ak je) v praxi opodstatnene pouzivanie 
keep-state pravidiel
/
> Juraj Belák wrote:
>   
>> > Aky je prakticky rozdiel (vzhladom na traffic) medzi
>>     
>
>   
>> > ipfw add allow tcp from me to any 1000 keep-state
>>     
>
>   
>> > a
>>     
>
>   
>> > ipfw add allow tcp from me to any 1000
>> > ipfw add allow tcp from any 1000 to me
>>     
>
> 	Nejsem si tak uplne jist na co se ptas. Druhy zpusob dovoli jakemukoliv 
> stroji na svete poslat z portu 1000 TCP paket na jakykoliv tvuj port. 
> Prvni to neumoznuje dokud jsi nejprve danym smerem nepromluvil ven.
>
> 	Presto se obvykle dynamickym rulim vyhybam, i kdyz v tomto konkretnim 
> pripade (pokud pomineme, ze vidim jen maly fragment konfigurace) pro to 
> neni realny duvod.
>
>
> 	Talze, ja bych pouzil druhy zpusob, ale trochu jinak - velko vadou 
> tveho reseni je, ze z portu 1000 muze kdokoliv navazat spojeni s 
> jakoukoliv sluzbou na danem stroji. Ja bych patrne pouzil:
>
> ipfw add allow tcp from me to any 1000 setup
> ipfw add allow tcp from any 1000 to me established
>
> 					Dan
>
>
> -- FreeBSD mailing list (users-l at freebsd.cz) 
> http://www.freebsd.cz/listserv/listinfo/users-l