From owner-freebsd-ipfw Tue Dec 17 14:52:10 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85E7E37B401 for ; Tue, 17 Dec 2002 14:52:09 -0800 (PST) Received: from delivery.infowest.com (delivery.infowest.com [204.17.177.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2343643ED8 for ; Tue, 17 Dec 2002 14:52:09 -0800 (PST) (envelope-from agifford@infowest.com) Received: from infowest.com (eq.net [208.186.104.163]) by delivery.infowest.com (Postfix) with ESMTP id 342C3E3AD3D for ; Tue, 17 Dec 2002 15:52:00 -0700 (MST) Message-ID: <3DFFAA6F.8020504@infowest.com> Date: Tue, 17 Dec 2002 15:51:27 -0700 From: "Aaron D. Gifford" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: Some IPFW2 stateful dynamic rules won't go away Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I've got a box with a three month old version of -STABLE on it that's been up for about 80 days. It uses IPFW2. This box delivers a bit of e-mail each day (perhaps 150,000-200,000 deliveries/day) and doesn't really do much else. Recently it was brought to my attention that a few IPFW2 dynamic stateful tcp rules were hanging around for an excessive amount of time. Two TCP sessions had apparently been created three weeks ago by the mail server, and somehow the dynamic stateful rules that were created by the sessions have persisted for three weeks, sending out the IPFW2 generated TCP keep-alive packets every 5 minutes. On the local mail server side, netstat shows the relevant TCP sockets in the FIN_WAIT_2 state. On the remote side, the admin's firewall logs kept showing TCP ACK packets arriving every 5 min (the keep-alives, I presume). SO now the questions: 1) Are there IPFW2 changes in the past 90 days MFCd to -STABLE that would fix this? Either way, I will be upgrading to a newer kernel/IPFW2. 2) What sequence of events could have resulted in this state of things in the first place? Hmmm... Okay, the TCP session was ESTABLISHED, the local box sends FIN to close things, the remote side ACKs the FIN so now the local socket is in FIN_WAIT_2. The remotely sent FIN gets dropped somewhere on the Internet. The remote side's own firewall at some point decides to expire their temp. dynamic rule or whatever. Now my local box's IPFW2 counter runs down and generates an ACK in both directions, keeping the local socket in FIN_WAIT_2 forever, and the ACK sent to the remote side gets silently dropped by their firewall. Is this plausible? If so, what's to prevent this from happening again? Thanks! Aaron out... (off to upgrade to a newer kernel on the box in question) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message