Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 4 May 2003 09:28:19 +0300
From:      "Mihail Balikov" <misho@interbgc.com>
To:        <freebsd-ipfw@freebsd.org>
Subject:   Re: src-limit trouble
Message-ID:  <002601c31206$5ab1a080$9bf212d9@interbgc.com>
References:  <Pine.BSI.4.40.0305021452430.17519-100000@buratino.peterlink.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
this happens when you have more than one rule with "limit" .

I have small patch for 4.7

regards,
Mihail Balikov

----- Original Message -----
From: <maxes@peterlink.ru>
To: <freebsd-ipfw@freebsd.org>
Sent: Friday, May 02, 2003 8:44 PM
Subject: src-limit trouble


>
> I use ipfw2 with dynamic rule like this:
> ipdw add 50 count tcp from any to me dst-port 8000-8005,80 setup limit
src-addr 20
>
> 1)
> In my case,  command "ipfw -d sh" can  show some "LIMIT" rule without
> corresponding "PARENT" rule, for example:
> ipfw -d sh | grep remote.ip
> 00050 9 861 (62s) LIMIT tcp remote.ip 19098 <-> me.ip 80
>
> It's full output, I repeat - no corresponding PARENT rule.
>
> 2)
> If  net.inet.ip.fw.dyn_keepalive=1, then
> on host accumulated FIN_WAIT_2 connections.
> For example:
> netstat -an | grep WAIT_2 | wc -l
> 2178
>
> This FIN_WAIT_2 connection live very long period - 1-1.5 month.
> But if set "sysctl -w net.inet.ip.fw.dyn_keepalive=0 "
> then after (as minimum 5 min = dyn_ack_lifetime ) number of FIN_WAIT_2
> connections decrease to "normal" - 20-40. I set MSL  to 7500.
>
> Question is:
> Why live single LIMIT rule whithout PARENT ?
> Why this connection not closed ?
> In FreeBSD FIN_WAIT_2 has timer  - after 2*MSL (30 sec in
> my case) this connection would be closed, isn't ? But with keep-alive
> this connection's show in netstat, show in ipfw rules.
>
> b.r.
>  Kozin Maxim
>
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002601c31206$5ab1a080$9bf212d9>