What is FW RULE - Advanced Options really for? Is it working?

VitRom

On LAN if I've created a rule

Pass : TCP/UDP : LAN net : * : LAN address : 2189 : * //fast UPnP

with

Advanced Options:
Maximum state entries per host: 2
State Timeout in seconds: 3

to avoid statetable to b overfilled with a many shorttime upnp conns (from Win workstations where upnp indicator are enabled).

But "Show States" still shows A LOT of timewited conns. Here is a fragment only (real number of the same conns are bigger):

tcp  	192.168.11.254:2189 <- 192.168.11.10:4624  	TIME_WAIT:TIME_WAIT  	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4625 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4626 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4627 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4628 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4629 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4630 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4631 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4632 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4633 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4634 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4635 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4636 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4637 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4638 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4639 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4640 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4641 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4642 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4643 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4644 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4645 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4646 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4647 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4648 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4649 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4650 	TIME_WAIT:TIME_WAIT 	
tcp 	192.168.11.254:2189 <- 192.168.11.10:4651 	TIME_WAIT:TIME_WAIT 	

Who is wrong? I'm in my wishes of ruleset gen?

UPD:

I've toggled ON logging of this rule but firewall log shows nothing! WTF? Is UPnP conns bypass firewall filter completely? Is this right way?

blak111

That rule wont block connections after hitting the limit. It just won't match that rule anymore.
So, if you have another rule underneath that allows all traffic, you won't be limiting connections.
You need to create a rule right after it with the same criteria that actually blocks the traffic.

VitRom

A pair of two rules

Pass : TCP/UDP : LAN net : * : LAN address : 2189 : * : log : adv.opt (num 2, state-timeout 3)
Block: TCP/UDP : LAN net : * : LAN address : 2189 : * : log : adv.opt (none)

on top of ruleset

shows nothing in fw log

blak111

It could be like you mentioned where it gets to the UPNP process on the firewall before reaching the firewall rules.
I just tried creating a block rule for 2189 and I can still get to the UPNP process.