IPFW IPFW rules latency

ronaldlees

ronaldlees

I had firefox running. Then in a terminal I added the rule:

ipfw add 1001 drop tcp from me to any dst-port 80 setup out via rl0 uid ron

  • Firefox could still visit *any* http site.
  • I exited firefox.
  • I restarted firefox
  • Now firefox could only visit https sites, as I had expected earlier.

Is there a latency issue with ipfw rules loading?
 
Dynamic rules may impose some sort of latency:
See ipfw(8):
... dynamic rules created from a rule before it had been disabled will
still be active until they expire. In order to delete dynamic rules you have to explicitly
delete the parent rule which generated them.
Click to expand...

Are there any keep-state rules with higher rule numbers, which may have opened a dynamic rule for outgoing web traffic, before you added rule number 1001? The lifetime of a respective dynamic rule may have been expired by coincidence once you re-started Firefox.
 
obsigna said:
Dynamic rules may impose some sort of latency:
See ipfw(8):


Are there any keep-state rules with higher rule numbers, which may have opened a dynamic rule for outgoing web traffic, before you added rule number 1001? The lifetime of a respective dynamic rule may have been expired by coincidence once you re-started Firefox.
Click to expand...

Thanks for the idea. I don't think there were any other related rules loaded at the time, but will consider that scenario if I see similar things in the future.
 
You must log in or register to reply here.
Back
Top