From owner-freebsd-ipfw@FreeBSD.ORG Wed May 28 12:11:48 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2448137B401; Wed, 28 May 2003 12:11:48 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 579FD43F75; Wed, 28 May 2003 12:11:47 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h4SJBlQg010457; Wed, 28 May 2003 12:11:47 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h4SJBlKw010456; Wed, 28 May 2003 12:11:47 -0700 (PDT) (envelope-from rizzo) Date: Wed, 28 May 2003 12:11:47 -0700 From: Luigi Rizzo To: Gregory Neil Shapiro Message-ID: <20030528121147.B9434@xorpc.icir.org> References: <20030527225040.GV13285@horsey.gshapiro.net> <20030528013250.A30254@xorpc.icir.org> <20030528155535.GB13285@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030528155535.GB13285@horsey.gshapiro.net>; from gshapiro@freebsd.org on Wed, May 28, 2003 at 08:55:35AM -0700 cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW V2 dynamic keepalives broken X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 19:11:48 -0000 On Wed, May 28, 2003 at 08:55:35AM -0700, Gregory Neil Shapiro wrote: > > i imagine the following happens: > > + the client does not properly close the connection; > > I tend to agree. > > > + when a keepalive is sent (every 5 minutes), To be precise -- a keepalive is sent in the last 30sec or so of the lifetime of a dynamic rule. If the timeput is bumped below this value (as it happens when both FIN or a RST comes in) then keepalives are disabled. But if only one FIN is received, and no RST arrive back, keepalives continue to flow. > But wouldn't a dyn_fin_lifetime of 1 mean it wouldn't reach 5 minutes? only if both FIN come in -- that is when the dyn_fin_lifetime takes effect. cheers luigi > > the the server's TCP responds (thus refreshing the rule), and the > > Interestingly enough, the client can't respond. An upstream Nokia > Checkpoint FW-1 firewall is rejecting the packets from the client to > the server with "Unknown established connection". You are correct > though, the server may be responding. > > > TCP timeout is reset so it stays in the FIN_WAIT[2] state for > > another cycle, whereas the client does not bother to send back a > > RST (which would cause the timeout for the dynamic rule go down to > > very low values). > > > Maybe i should change the logic in the dynamic rules so that further > > keepalives are not sent unless a reply has been received from both > > sides. > > That does sound like a good solution. > > > > # sysctl net.inet.ip.fw.dyn_keepalive=0 > > > net.inet.ip.fw.dyn_keepalive: 1 -> 0 > > > (wait a few seconds) > > > > how "few" seconds ? I suppose in the order of 300 or so, enough > > to let the local session expire ? > > Yes, sorry, that should have been "few minutes", not "few seconds". > > By the way, since sending the mail yesterday, 149 have collected in > FIN_WAIT_2 on the server. I repeated the process and timed it. > It started dropping them after about 6 minutes. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"