Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 2 Nov 2011 08:46:11 -0700 (PDT)
From:      Tim Gustafson <tjg@soe.ucsc.edu>
To:        freebsd-ipfw@freebsd.org
Subject:   IPFW Problems
Message-ID:  <1048019764.24079.1320248771403.JavaMail.root@mail-01.cse.ucsc.edu>
In-Reply-To: <1335821625.24060.1320248576610.JavaMail.root@mail-01.cse.ucsc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
------=_Part_24078_854098216.1320248771394
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Hi,

I'm using IPFW on a Jail server.  I have system-wide rules set up at the top of my rule-set, like this:

00100 allow ip from any to any via lo0
00101 check-state
00102 allow icmp from me to any keep-state
00103 allow udp from me to any keep-state
00104 allow tcp from me to any keep-state
00105 allow icmp from 1.2.0.0/16 to me keep-state

And then each Jail server has a set of rules, like this:

01000 allow tcp from 1.2.0.0/16 to 1.2.3.4 dst-port 22 keep-state
01001 allow tcp from any to 1.2.3.4 dst-port 80 keep-state
01002 allow tcp from any to 1.2.3.4 dst-port 443 keep-state

What I've been noticing is that the web server is accumulating a large number of dynamic rules that are not going away, and consequently FreeBSD is keeping a large number of sockets open for long periods of time, which are sending out tons of ACK packets to remote hosts that connected to our web server a long time ago, and have long since closed their side of the TCP connection.  I've attached two graphs: one shows the number of dynamic firewall rules over time, and the other shows the number of open sockets over time.  Each time I re-load my firewall rules (which includes a "flush"), the graphs drop back down to a reasonable number (hence the sawtooth effect you see in the graph).

Can anyone help me understand what is going on here?  Have I found some sort of bug, or do I have my firewall incorrectly configured?

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Tim Gustafson                                                tjg@soe.ucsc.edu
Baskin School of Engineering                                     831-459-5354
UC Santa Cruz                                         Baskin Engineering 317B
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


------=_Part_24078_854098216.1320248771394--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1048019764.24079.1320248771403.JavaMail.root>