Date: Wed, 28 May 2003 08:55:35 -0700 From: Gregory Neil Shapiro <gshapiro@freebsd.org> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW V2 dynamic keepalives broken Message-ID: <20030528155535.GB13285@horsey.gshapiro.net> In-Reply-To: <20030528013250.A30254@xorpc.icir.org> References: <20030527225040.GV13285@horsey.gshapiro.net> <20030528013250.A30254@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> i imagine the following happens: > + the client does not properly close the connection; I tend to agree. > + when a keepalive is sent (every 5 minutes), But wouldn't a dyn_fin_lifetime of 1 mean it wouldn't reach 5 minutes? > the the server's TCP responds (thus refreshing the rule), and the Interestingly enough, the client can't respond. An upstream Nokia Checkpoint FW-1 firewall is rejecting the packets from the client to the server with "Unknown established connection". You are correct though, the server may be responding. > TCP timeout is reset so it stays in the FIN_WAIT[2] state for > another cycle, whereas the client does not bother to send back a > RST (which would cause the timeout for the dynamic rule go down to > very low values). > Maybe i should change the logic in the dynamic rules so that further > keepalives are not sent unless a reply has been received from both > sides. That does sound like a good solution. > > # sysctl net.inet.ip.fw.dyn_keepalive=0 > > net.inet.ip.fw.dyn_keepalive: 1 -> 0 > > (wait a few seconds) > > how "few" seconds ? I suppose in the order of 300 or so, enough > to let the local session expire ? Yes, sorry, that should have been "few minutes", not "few seconds". By the way, since sending the mail yesterday, 149 have collected in FIN_WAIT_2 on the server. I repeated the process and timed it. It started dropping them after about 6 minutes.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030528155535.GB13285>