From owner-freebsd-ipfw Sun Jul 28 7:25:39 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6841F37B400 for ; Sun, 28 Jul 2002 07:25:38 -0700 (PDT) Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by mx1.FreeBSD.org (Postfix) with SMTP id 033CA43E65 for ; Sun, 28 Jul 2002 07:25:38 -0700 (PDT) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) To: ipfw@freebsd.org Subject: IPFW2 keep-alive From: Dan Pelleg Date: 28 Jul 2002 10:25:25 -0400 In-Reply-To: Message-ID: Lines: 20 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG What's the exact mechanism to expire dynamic rules under IPFW2? I understand it's sending keep-alive packets as the rule is about to expire. Is there any way for these to result in the rule being removed? The behaviour I'm seeing is this: During a network partition, the application program (Mozilla) retried to connect to remote hosts and opened many connections, eventually hitting the LIMIT count. Now the network is back up. However there is no way to open new connections since the appropriate rule's LIMIT is met. Repeated ipfw -d show that the rules are refreshed when they have 5-6 seconds to live (and go back to 10 seconds or so). I'm not sure what's doing that - the local application is long terminated. The only workaround I found was to flush the ruleset (I guess replacing just that rule would have also worked). -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message