Date: Wed, 31 Jul 2002 15:28:06 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Dan Pelleg <daniel+bsd@pelleg.org> Cc: ipfw@FreeBSD.ORG Subject: Re: IPFW2 keep-alive Message-ID: <20020731152806.B69266@iguana.icir.org> In-Reply-To: <u2sit30hqui.fsf_-_@gs166.sp.cs.cmu.edu>; from daniel%2Bbsd@pelleg.org on Sun, Jul 28, 2002 at 10:25:25AM -0400 References: <u2sit31royw.fsf@gs166.sp.cs.cmu.edu> <u2sit30hqui.fsf_-_@gs166.sp.cs.cmu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
The logic works as follows: when a O_LIMIT or O_KEEP_STATE rule has less than 20 seconds left, the firewall will send a keepalive packet to both sides every 5 seconds. If any of the two responds, then the timeout will be updated accordingly -- i.e. a regular data packet will reset it up to 300 seconds or whatever the default is, a RST will put it down to 1 which is below the threshold for generating a new keepalive. If none responds, the timeout will be left untouched. Now i wonder if in your case what happens is that the remote server is not sending RST for invalid packets, and you do have a socket in some closing state (or even a mozilla about to close) still handling the keepalives and replying to them. cheers luigi On Sun, Jul 28, 2002 at 10:25:25AM -0400, Dan Pelleg wrote: > > What's the exact mechanism to expire dynamic rules under IPFW2? I > understand it's sending keep-alive packets as the rule is about to > expire. Is there any way for these to result in the rule being removed? The > behaviour I'm seeing is this: > > During a network partition, the application program (Mozilla) retried to > connect to remote hosts and opened many connections, eventually hitting the > LIMIT count. > > Now the network is back up. However there is no way to open new > connections since the appropriate rule's LIMIT is met. Repeated ipfw -d > show that the rules are refreshed when they have 5-6 seconds to live (and > go back to 10 seconds or so). I'm not sure what's doing that - the local > application is long terminated. The only workaround I found was to flush > the ruleset (I guess replacing just that rule would have also worked). > > -- > > Dan Pelleg > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020731152806.B69266>