Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 2 Nov 2011 08:46:11 -0700 (PDT)
From:      Tim Gustafson <>
Subject:   IPFW Problems
Message-ID:  <>
In-Reply-To: <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


I'm using IPFW on a Jail server.  I have system-wide rules set up at the top of my rule-set, like this:

00100 allow ip from any to any via lo0
00101 check-state
00102 allow icmp from me to any keep-state
00103 allow udp from me to any keep-state
00104 allow tcp from me to any keep-state
00105 allow icmp from to me keep-state

And then each Jail server has a set of rules, like this:

01000 allow tcp from to dst-port 22 keep-state
01001 allow tcp from any to dst-port 80 keep-state
01002 allow tcp from any to dst-port 443 keep-state

What I've been noticing is that the web server is accumulating a large number of dynamic rules that are not going away, and consequently FreeBSD is keeping a large number of sockets open for long periods of time, which are sending out tons of ACK packets to remote hosts that connected to our web server a long time ago, and have long since closed their side of the TCP connection.  I've attached two graphs: one shows the number of dynamic firewall rules over time, and the other shows the number of open sockets over time.  Each time I re-load my firewall rules (which includes a "flush"), the graphs drop back down to a reasonable number (hence the sawtooth effect you see in the graph).

Can anyone help me understand what is going on here?  Have I found some sort of bug, or do I have my firewall incorrectly configured?

Tim Gustafson                                      
Baskin School of Engineering                                     831-459-5354
UC Santa Cruz                                         Baskin Engineering 317B


Want to link to this message? Use this URL: <>