Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 27 Mar 2010 05:31:34 -0400
From:      Linda Messerschmidt <linda.messerschmidt@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   Sockets stuck in FIN_WAIT_1 not detected by pf
Message-ID:  <237c27101003270231p77f54bfcn2db6ed1fa50eaab8@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hi all,

I have a 7.2-STABLE machine with the old "hostile client causes Apache
sockets to persist forever in FIN_WAIT_1" problem.

These connections hang forever as long as the client continues to send
packets advertising a 0 window size; I believe this problem is pretty
well-understood.  (And essentially impossible to fix.)

What I wanted to do was work around it using the pf tcp.closing
timeout to get rid of them.  However, pf isn't detecting the move to
FIN_WAIT_1:

> netstat -an | fgrep 6.7.8.9 | fgrep .24
tcp4       0 1049615 2.3.4.5.443      6.7.8.9.24113  FIN_WAIT_1
tcp4       0 1049618 2.3.4.5.443      6.7.8.9.24107  FIN_WAIT_1
tcp4       0 1048731 2.3.4.5.443      6.7.8.9.24104  FIN_WAIT_1
tcp4       0 1047829 2.3.4.5.443      6.7.8.9.24102  FIN_WAIT_1
tcp4       0 1049618 2.3.4.5.443      6.7.8.9.24098  FIN_WAIT_1
tcp4       0 1049618 2.3.4.5.443      6.7.8.9.24096  FIN_WAIT_1
tcp4       0 1049620 2.3.4.5.443      6.7.8.9.24094  FIN_WAIT_1
tcp4       0 1048012 2.3.4.5.443      6.7.8.9.24039  FIN_WAIT_1
tcp4       0 1049620 2.3.4.5.443      6.7.8.9.24035  FIN_WAIT_1
tcp4       0 1049187 2.3.4.5.443      6.7.8.9.24018  FIN_WAIT_1
tcp4       0 1049616 2.3.4.5.443      6.7.8.9.24013  FIN_WAIT_1
tcp4       0 1049619 2.3.4.5.443      6.7.8.9.24011  FIN_WAIT_1
> sudo pfctl -s state | fgrep 6.7.8.9 | fgrep :24
all tcp 2.3.4.5:443 <- 6.7.8.9:24011       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24013       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24018       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24035       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24039       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24094       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24096       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24098       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24102       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24104       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24107       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24113       ESTABLISHED:ESTABLISHED
>

Is this a bug in pf, or have I configured it improperly somehow?  The
rule that creates the state entries is just:

pass in on $ext_if inet proto tcp from any to <web_ips> port { 80, 443 }

which pf seems to parse into:

pass in on em0 inet proto tcp from any to <web_ips> port = https flags
S/SA keep state

That looks fine to me, so I have no idea what's happening here.

Thanks for any insight!



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?237c27101003270231p77f54bfcn2db6ed1fa50eaab8>