Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 31 Jul 2002 15:28:06 -0700
From:      Luigi Rizzo <>
To:        Dan Pelleg <>
Cc:        ipfw@FreeBSD.ORG
Subject:   Re: IPFW2 keep-alive
Message-ID:  <>
In-Reply-To: <>; from on Sun, Jul 28, 2002 at 10:25:25AM -0400
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
The logic works as follows:
when a O_LIMIT or O_KEEP_STATE rule has less than 20 seconds left,
the firewall will send a keepalive packet to both sides every 5 seconds.
If any of the two responds, then the timeout will be updated
accordingly -- i.e. a regular data packet will reset it up
to 300 seconds or whatever the default is, a RST will put it
down to 1 which is below the threshold for generating a
new keepalive.
If none responds, the timeout will be left untouched.

Now i wonder if in your case what happens is that the
remote server is not sending RST for invalid packets, and
you do have a socket in some closing state (or even a mozilla
about to close) still handling the keepalives and replying to them.


On Sun, Jul 28, 2002 at 10:25:25AM -0400, Dan Pelleg wrote:
>  What's the exact mechanism to expire dynamic rules under IPFW2? I
> understand it's sending keep-alive packets as the rule is about to
> expire. Is there any way for these to result in the rule being removed? The
> behaviour I'm seeing is this:
> During a network partition, the application program (Mozilla) retried to
> connect to remote hosts and opened many connections, eventually hitting the
> LIMIT count.
>  Now the network is back up. However there is no way to open new
> connections since the appropriate rule's LIMIT is met. Repeated ipfw -d
> show that the rules are refreshed when they have 5-6 seconds to live (and
> go back to 10 seconds or so). I'm not sure what's doing that - the local
> application is long terminated. The only workaround I found was to flush
> the ruleset (I guess replacing just that rule would have also worked).
> -- 
>   Dan Pelleg
> To Unsubscribe: send mail to
> with "unsubscribe freebsd-ipfw" in the body of the message

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>