Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 16 May 2008 13:33:13 -0500
From:      Mark Kane <mark@mkproductions.org>
To:        freebsd-questions@freebsd.org
Subject:   ipfw, limit, and lots of connections in FIN_WAIT_2 state
Message-ID:  <20080516133313.1f94df22@mkproductions.org>

next in thread | raw e-mail | index | archive | help
Hi everyone.

I use ipfw on one of our servers to help protect against some HTTP
attacks we were receiving recently. The rules are very basic but were
helping with the type of attack we were receiving:

=====================================
flush="/sbin/ipfw -q flush"
cmd="/sbin/ipfw -q add"

$flush

$cmd 0001 allow all from any to any via lo0
$cmd 0002 allow all from 127.0.0.1 to 127.0.0.1
$cmd 0003 check-state

$cmd 3000 allow tcp from any to me 80 setup limit src-addr 15

$cmd 65003 allow all from any to any
=====================================

The issue with this setup though is that when "limit" is used and there
is a dynamic rule for the traffic, lots of connections build up in the
FIN_WAIT_2 state. I have recently seen numbers in the upper hundreds and
they stay around for a long time. Without the limiting or dynamic
rules I don't recall any noticeable amount of FIN_WAIT_2 connections.

This has been causing problems for some visitors because connections
from their IP are building up and reaching the limit. The limit part
works great, but all the connections shown in ipfw's dynamic rules list
for some IPs are in the FIN_WAIT_2 state which is reaching the limit and
then not allowing any new traffic in from them. Then websites hosted
here appear down and most of the visitors wouldn't have any idea what's
going on.

The description in the last paragraph of this reply sounds just like
the issue:

http://lists.freebsd.org/pipermail/freebsd-questions/2007-February/142745.html

Are there any things that can be done on the server end to help with
this?

Thanks in advance for any input.

-Mark

-- 
Internet Radio:
Party107 (Trance/Electronic) - http://www.party107.com
Rock 101.9 The Edge (Rock) - http://www.rock1019.net

IRC:
MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080516133313.1f94df22>