Subject: Re: IPF state and spurious blocks
To: Michael Graff <explorer@flame.org>
From: Darren Reed <darrenr@reed.wattle.id.au>
List: tech-net
Date: 05/28/1999 15:42:22
In some email I received from Michael Graff, sie wrote:
>
> Darren Reed <darrenr@reed.wattle.id.au> writes:
>
> > In some email I received from Michael Graff, sie wrote:
> > >
> > > My largest problems with ipf:
[...]
> > > (2) The state entries are not dynamic. Once you hit 2048,
> > > you're out of state entries. This is once again a problem
> > > with duplicating state. If a UDP socket closes, for
> > > instance, I'd rather have the state vanish, not time out
> > > in 2 minutes.
> >
> > 2048 is an arbitrary number picked at compile time that can be changed.
> > More recent changes in the code allow this to be changed at run-time by
> > doing and "ipf -D", change variable, "ipf -E". At present, however, you'd
> > need to use adb to make such a change since NetBSD doesn't support adding
> > variables to sysctl at run time and ipfilter doesn't have an interface (yet)
> > for changing those variables whilst not running.
>
> Isn't it a hash table of some sort?
What it's stored in is immaterial, really. It should be created when ipf
is enabled and destroyed when disabled. In between, why should the size
be fixed ?
> > > (3) There is no way to filter other than icmp, udp, and tcp.
> > > I'd like to be able to filter out all other "crap" like
> > > GRE tunnels from hosts I don't have a tunnel to, but the
> > > ipf doesn't do this.
> >
> > Well you can filter other protocols, but it doesn't support filtering
> > on other protocol headers. So if GRE has some fancy information in its
> > packets, it does not provide an interface to get at that.
>
> Can I say:
>
> block in on fxp0 proto 4 from any to any
That should work and only block "protocol 4".
> and does
>
> block in on fxp all
>
> block non-ICMP, UDP, TCP packets?
If you do this, what do you get ?
echo 'block in on fxp0 proto 4 from any to any' | ipf -nvf -
Darren