From owner-freebsd-net@FreeBSD.ORG Fri Apr 20 18:55:05 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2254F1065670 for ; Fri, 20 Apr 2012 18:55:05 +0000 (UTC) (envelope-from dmk.sbor@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id C14978FC08 for ; Fri, 20 Apr 2012 18:55:04 +0000 (UTC) Received: by yhgm50 with SMTP id m50so6466242yhg.13 for ; Fri, 20 Apr 2012 11:55:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=kWRZoQSMQV9qrAmcTL5b0ga6SKQY+WGnsluwXR7HeM8=; b=c3v0phB26cbd/HOaeib6fPIaoVxHz5MWkyYkMIByVLFmuqSRkue8Flpn3cs3ZgkHjg jrPrAdKVRZKsoiSc7mo+yZZ17PU9JIXAIdv7rUMYGk9aR2teE0Rs2OVQeJ6zcqjNI4LS izU4gOF0nrivjxCUpftJlxBCX1aT+GpxZbdW8b7PZpSvhJSYoHBCy9ctDxYGSHaXH/UA j5EoFelOcFjmePWUEUZl+Yr8uuwhxJkLrh9ALXLkaW86Jqjx4e29mDzkCL9AK5jc7Y1y Rq24pdgno083JEl6IMGAp3y/pESlYoTy2c8/z+BPn9gd4Tmh3/uOUUFOvgLy84y/OItx Gfow== MIME-Version: 1.0 Received: by 10.236.73.169 with SMTP id v29mr7000943yhd.12.1334948103389; Fri, 20 Apr 2012 11:55:03 -0700 (PDT) Received: by 10.146.168.1 with HTTP; Fri, 20 Apr 2012 11:55:03 -0700 (PDT) In-Reply-To: References: Date: Fri, 20 Apr 2012 22:55:03 +0400 Message-ID: From: "Dmitry S. Kasterin" To: Kevin Oberman Content-Type: text/plain; charset=UTF-8 Cc: freebsd-net@freebsd.org, Michael Sierchio Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Apr 2012 18:55:05 -0000 > Thank you for the "allow tcp from me to any established" rule, > I'll give it a try later. Ok, I've tested this - no oddity/"frozen" connection. As expected. This is an excerpt from the ruleset (ipfw show): 00101 4759 2588637 allow tcp from any to any established 00102 206 12360 allow tcp from me to any setup 00777 0 0 deny log logamount 16 ip from any to any > I didn't change anything. Quite possible dyn_fin_lifetime is too > small. I'll try to raise it. # sysctl net.inet.ip.fw.dyn_fin_lifetime=4 net.inet.ip.fw.dyn_fin_lifetime: 1 -> 4 # sysctl net.inet.ip.fw.dyn_rst_lifetime=4 net.inet.ip.fw.dyn_rst_lifetime: 1 -> 4 The situation is better, but I am still having troubles with "heavy" sites (images, JS an so on; for example - http://cnx.org/content/m16336/latest/ ). And still I can see odd packets from "deny log all from any to any" rule: 15:09:58.654613 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq 3948689318, ack 1903284725, ... 15:09:59.158612 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq 0, ack 1, ... 15:09:59.222114 IP 213.180.193.14.80 > w.x.y.z.11215: Flags [F.], seq 1, ack 0, ... 15:09:59.966611 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq 0, ack 1, ... 15:51:43.244361 IP 128.42.169.34.80 > w.x.y.z.13876: Flags [F.], seq 3534903525, ack 108808080, ... 15:51:49.418317 IP 128.42.169.34.80 > w.x.y.z.13876: Flags [F.], seq 0, ack 1, ... 15:58:47.664606 IP w.x.y.z.32748 > 195.91.160.36.80: Flags [F.], seq 3277652538, ack 2683877393, ... 15:58:49.106924 IP 195.91.160.36.80 > w.x.y.z.32748: Flags [F.], seq 1, ack 0, ...