Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 2 May 2003 21:44:19 +0400 (MSD)
Subject:   src-limit trouble
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

I use ipfw2 with dynamic rule like this:
ipdw add 50 count tcp from any to me dst-port 8000-8005,80 setup limit src-addr 20

In my case,  command "ipfw -d sh" can  show some "LIMIT" rule without
corresponding "PARENT" rule, for example:
ipfw -d sh | grep remote.ip
00050 9 861 (62s) LIMIT tcp remote.ip 19098 <-> me.ip 80

It's full output, I repeat - no corresponding PARENT rule.

If  net.inet.ip.fw.dyn_keepalive=1, then
on host accumulated FIN_WAIT_2 connections.
For example:
netstat -an | grep WAIT_2 | wc -l

This FIN_WAIT_2 connection live very long period - 1-1.5 month.
But if set "sysctl -w net.inet.ip.fw.dyn_keepalive=0 "
then after (as minimum 5 min = dyn_ack_lifetime ) number of FIN_WAIT_2
connections decrease to "normal" - 20-40. I set MSL  to 7500.

Question is:
Why live single LIMIT rule whithout PARENT ?
Why this connection not closed ?
In FreeBSD FIN_WAIT_2 has timer  - after 2*MSL (30 sec in
my case) this connection would be closed, isn't ? But with keep-alive
this connection's show in netstat, show in ipfw rules.

 Kozin Maxim

Want to link to this message? Use this URL: <>