Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 2 May 2003 21:44:19 +0400 (MSD)
From:      maxes@peterlink.ru
To:        freebsd-ipfw@freebsd.org
Subject:   src-limit trouble
Message-ID:  <Pine.BSI.4.40.0305021452430.17519-100000@buratino.peterlink.ru>

Next in thread | Raw E-Mail | Index | Archive | Help

I use ipfw2 with dynamic rule like this:
ipdw add 50 count tcp from any to me dst-port 8000-8005,80 setup limit src-addr 20

1)
In my case,  command "ipfw -d sh" can  show some "LIMIT" rule without
corresponding "PARENT" rule, for example:
ipfw -d sh | grep remote.ip
00050 9 861 (62s) LIMIT tcp remote.ip 19098 <-> me.ip 80

It's full output, I repeat - no corresponding PARENT rule.

2)
If  net.inet.ip.fw.dyn_keepalive=1, then
on host accumulated FIN_WAIT_2 connections.
For example:
netstat -an | grep WAIT_2 | wc -l
2178

This FIN_WAIT_2 connection live very long period - 1-1.5 month.
But if set "sysctl -w net.inet.ip.fw.dyn_keepalive=0 "
then after (as minimum 5 min = dyn_ack_lifetime ) number of FIN_WAIT_2
connections decrease to "normal" - 20-40. I set MSL  to 7500.

Question is:
Why live single LIMIT rule whithout PARENT ?
Why this connection not closed ?
In FreeBSD FIN_WAIT_2 has timer  - after 2*MSL (30 sec in
my case) this connection would be closed, isn't ? But with keep-alive
this connection's show in netstat, show in ipfw rules.

b.r.
 Kozin Maxim




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.40.0305021452430.17519-100000>