Date: Sat, 27 Mar 2010 05:31:34 -0400 From: Linda Messerschmidt <linda.messerschmidt@gmail.com> To: freebsd-pf@freebsd.org Subject: Sockets stuck in FIN_WAIT_1 not detected by pf Message-ID: <237c27101003270231p77f54bfcn2db6ed1fa50eaab8@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi all, I have a 7.2-STABLE machine with the old "hostile client causes Apache sockets to persist forever in FIN_WAIT_1" problem. These connections hang forever as long as the client continues to send packets advertising a 0 window size; I believe this problem is pretty well-understood. (And essentially impossible to fix.) What I wanted to do was work around it using the pf tcp.closing timeout to get rid of them. However, pf isn't detecting the move to FIN_WAIT_1: > netstat -an | fgrep 6.7.8.9 | fgrep .24 tcp4 0 1049615 2.3.4.5.443 6.7.8.9.24113 FIN_WAIT_1 tcp4 0 1049618 2.3.4.5.443 6.7.8.9.24107 FIN_WAIT_1 tcp4 0 1048731 2.3.4.5.443 6.7.8.9.24104 FIN_WAIT_1 tcp4 0 1047829 2.3.4.5.443 6.7.8.9.24102 FIN_WAIT_1 tcp4 0 1049618 2.3.4.5.443 6.7.8.9.24098 FIN_WAIT_1 tcp4 0 1049618 2.3.4.5.443 6.7.8.9.24096 FIN_WAIT_1 tcp4 0 1049620 2.3.4.5.443 6.7.8.9.24094 FIN_WAIT_1 tcp4 0 1048012 2.3.4.5.443 6.7.8.9.24039 FIN_WAIT_1 tcp4 0 1049620 2.3.4.5.443 6.7.8.9.24035 FIN_WAIT_1 tcp4 0 1049187 2.3.4.5.443 6.7.8.9.24018 FIN_WAIT_1 tcp4 0 1049616 2.3.4.5.443 6.7.8.9.24013 FIN_WAIT_1 tcp4 0 1049619 2.3.4.5.443 6.7.8.9.24011 FIN_WAIT_1 > sudo pfctl -s state | fgrep 6.7.8.9 | fgrep :24 all tcp 2.3.4.5:443 <- 6.7.8.9:24011 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24013 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24018 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24035 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24039 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24094 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24096 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24098 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24102 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24104 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24107 ESTABLISHED:ESTABLISHED all tcp 2.3.4.5:443 <- 6.7.8.9:24113 ESTABLISHED:ESTABLISHED > Is this a bug in pf, or have I configured it improperly somehow? The rule that creates the state entries is just: pass in on $ext_if inet proto tcp from any to <web_ips> port { 80, 443 } which pf seems to parse into: pass in on em0 inet proto tcp from any to <web_ips> port = https flags S/SA keep state That looks fine to me, so I have no idea what's happening here. Thanks for any insight!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?237c27101003270231p77f54bfcn2db6ed1fa50eaab8>