From owner-freebsd-questions@FreeBSD.ORG Fri May 16 18:33:18 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C5C81065672 for ; Fri, 16 May 2008 18:33:18 +0000 (UTC) (envelope-from mark@mkproductions.org) Received: from server1.tntpowerhost.com (server1.tntpowerhost.com [208.100.3.23]) by mx1.freebsd.org (Postfix) with ESMTP id 2AB9A8FC20 for ; Fri, 16 May 2008 18:33:17 +0000 (UTC) (envelope-from mark@mkproductions.org) Received: from adsl-75-10-48-60.dsl.spfdmo.sbcglobal.net ([75.10.48.60] helo=localhost) by server1.tntpowerhost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1Jx4k4-000Mn0-3b for freebsd-questions@freebsd.org; Fri, 16 May 2008 13:33:20 -0500 Date: Fri, 16 May 2008 13:33:13 -0500 From: Mark Kane To: freebsd-questions@freebsd.org Message-ID: <20080516133313.1f94df22@mkproductions.org> X-Mailer: Claws Mail 3.4.0 (GTK+ 2.12.9; amd64-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server1.tntpowerhost.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [26 6] / [26 6] X-AntiAbuse: Sender Address Domain - mkproductions.org Subject: ipfw, limit, and lots of connections in FIN_WAIT_2 state X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2008 18:33:18 -0000 Hi everyone. I use ipfw on one of our servers to help protect against some HTTP attacks we were receiving recently. The rules are very basic but were helping with the type of attack we were receiving: ===================================== flush="/sbin/ipfw -q flush" cmd="/sbin/ipfw -q add" $flush $cmd 0001 allow all from any to any via lo0 $cmd 0002 allow all from 127.0.0.1 to 127.0.0.1 $cmd 0003 check-state $cmd 3000 allow tcp from any to me 80 setup limit src-addr 15 $cmd 65003 allow all from any to any ===================================== The issue with this setup though is that when "limit" is used and there is a dynamic rule for the traffic, lots of connections build up in the FIN_WAIT_2 state. I have recently seen numbers in the upper hundreds and they stay around for a long time. Without the limiting or dynamic rules I don't recall any noticeable amount of FIN_WAIT_2 connections. This has been causing problems for some visitors because connections from their IP are building up and reaching the limit. The limit part works great, but all the connections shown in ipfw's dynamic rules list for some IPs are in the FIN_WAIT_2 state which is reaching the limit and then not allowing any new traffic in from them. Then websites hosted here appear down and most of the visitors wouldn't have any idea what's going on. The description in the last paragraph of this reply sounds just like the issue: http://lists.freebsd.org/pipermail/freebsd-questions/2007-February/142745.html Are there any things that can be done on the server end to help with this? Thanks in advance for any input. -Mark -- Internet Radio: Party107 (Trance/Electronic) - http://www.party107.com Rock 101.9 The Edge (Rock) - http://www.rock1019.net IRC: MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941)