From owner-freebsd-pf@FreeBSD.ORG  Sat Mar 27 09:31:36 2010
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 76CE71065674
	for <freebsd-pf@freebsd.org>; Sat, 27 Mar 2010 09:31:36 +0000 (UTC)
	(envelope-from linda.messerschmidt@gmail.com)
Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 139768FC15
	for <freebsd-pf@freebsd.org>; Sat, 27 Mar 2010 09:31:35 +0000 (UTC)
Received: by wwb24 with SMTP id 24so368890wwb.13
	for <freebsd-pf@freebsd.org>; Sat, 27 Mar 2010 02:31:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:date:received:message-id
	:subject:from:to:content-type;
	bh=L9ypT4CJHox10dfA41QiG4t+VhYQnfXFG+Om/0eq8mg=;
	b=JsqeTvc9MMaH17EMDr+uHSY1baliMoSSKjzOurv8StPCli85/v0BUetFIjeHDeE4h0
	kTQb0U81lhamDVc6bJDKyFmHgBgNjZ1vzj76ZYp6ZKkGq5AxrV70E4cRGmEwzoG4zwfV
	v/n5BZeojB1hrHX/QH3IKuM1kdwCYAKKnKws4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=xpn91hdZGMgGuQdlnK/iz2Tz5vkmtUauhiGNMsT2eBfZfpskwbyHLbiKf1mki/LG6A
	Ha1D47jSNgRriY3i1R+qFEKoWdeyeLJ9x5q9AGcLh1bTov8MdK9CMsy6MwdUkjdIiGYJ
	0kQjKIzGrVcqqJ/io4XQPWZoG0QloSNbUiLaE=
MIME-Version: 1.0
Received: by 10.216.49.208 with HTTP; Sat, 27 Mar 2010 02:31:34 -0700 (PDT)
Date: Sat, 27 Mar 2010 05:31:34 -0400
Received: by 10.216.180.130 with SMTP id j2mr1212712wem.86.1269682294953; Sat, 
	27 Mar 2010 02:31:34 -0700 (PDT)
Message-ID: <237c27101003270231p77f54bfcn2db6ed1fa50eaab8@mail.gmail.com>
From: Linda Messerschmidt <linda.messerschmidt@gmail.com>
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: Sockets stuck in FIN_WAIT_1 not detected by pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Mar 2010 09:31:36 -0000

Hi all,

I have a 7.2-STABLE machine with the old "hostile client causes Apache
sockets to persist forever in FIN_WAIT_1" problem.

These connections hang forever as long as the client continues to send
packets advertising a 0 window size; I believe this problem is pretty
well-understood.  (And essentially impossible to fix.)

What I wanted to do was work around it using the pf tcp.closing
timeout to get rid of them.  However, pf isn't detecting the move to
FIN_WAIT_1:

> netstat -an | fgrep 6.7.8.9 | fgrep .24
tcp4       0 1049615 2.3.4.5.443      6.7.8.9.24113  FIN_WAIT_1
tcp4       0 1049618 2.3.4.5.443      6.7.8.9.24107  FIN_WAIT_1
tcp4       0 1048731 2.3.4.5.443      6.7.8.9.24104  FIN_WAIT_1
tcp4       0 1047829 2.3.4.5.443      6.7.8.9.24102  FIN_WAIT_1
tcp4       0 1049618 2.3.4.5.443      6.7.8.9.24098  FIN_WAIT_1
tcp4       0 1049618 2.3.4.5.443      6.7.8.9.24096  FIN_WAIT_1
tcp4       0 1049620 2.3.4.5.443      6.7.8.9.24094  FIN_WAIT_1
tcp4       0 1048012 2.3.4.5.443      6.7.8.9.24039  FIN_WAIT_1
tcp4       0 1049620 2.3.4.5.443      6.7.8.9.24035  FIN_WAIT_1
tcp4       0 1049187 2.3.4.5.443      6.7.8.9.24018  FIN_WAIT_1
tcp4       0 1049616 2.3.4.5.443      6.7.8.9.24013  FIN_WAIT_1
tcp4       0 1049619 2.3.4.5.443      6.7.8.9.24011  FIN_WAIT_1
> sudo pfctl -s state | fgrep 6.7.8.9 | fgrep :24
all tcp 2.3.4.5:443 <- 6.7.8.9:24011       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24013       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24018       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24035       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24039       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24094       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24096       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24098       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24102       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24104       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24107       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24113       ESTABLISHED:ESTABLISHED
>

Is this a bug in pf, or have I configured it improperly somehow?  The
rule that creates the state entries is just:

pass in on $ext_if inet proto tcp from any to <web_ips> port { 80, 443 }

which pf seems to parse into:

pass in on em0 inet proto tcp from any to <web_ips> port = https flags
S/SA keep state

That looks fine to me, so I have no idea what's happening here.

Thanks for any insight!