From owner-freebsd-ipfw Wed Jul 31 15:28:10 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BC7937B400 for ; Wed, 31 Jul 2002 15:28:08 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA03843E31 for ; Wed, 31 Jul 2002 15:28:07 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6VMS6f69442; Wed, 31 Jul 2002 15:28:06 -0700 (PDT) (envelope-from rizzo) Date: Wed, 31 Jul 2002 15:28:06 -0700 From: Luigi Rizzo To: Dan Pelleg Cc: ipfw@FreeBSD.ORG Subject: Re: IPFW2 keep-alive Message-ID: <20020731152806.B69266@iguana.icir.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from daniel+bsd@pelleg.org on Sun, Jul 28, 2002 at 10:25:25AM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG The logic works as follows: when a O_LIMIT or O_KEEP_STATE rule has less than 20 seconds left, the firewall will send a keepalive packet to both sides every 5 seconds. If any of the two responds, then the timeout will be updated accordingly -- i.e. a regular data packet will reset it up to 300 seconds or whatever the default is, a RST will put it down to 1 which is below the threshold for generating a new keepalive. If none responds, the timeout will be left untouched. Now i wonder if in your case what happens is that the remote server is not sending RST for invalid packets, and you do have a socket in some closing state (or even a mozilla about to close) still handling the keepalives and replying to them. cheers luigi On Sun, Jul 28, 2002 at 10:25:25AM -0400, Dan Pelleg wrote: > > What's the exact mechanism to expire dynamic rules under IPFW2? I > understand it's sending keep-alive packets as the rule is about to > expire. Is there any way for these to result in the rule being removed? The > behaviour I'm seeing is this: > > During a network partition, the application program (Mozilla) retried to > connect to remote hosts and opened many connections, eventually hitting the > LIMIT count. > > Now the network is back up. However there is no way to open new > connections since the appropriate rule's LIMIT is met. Repeated ipfw -d > show that the rules are refreshed when they have 5-6 seconds to live (and > go back to 10 seconds or so). I'm not sure what's doing that - the local > application is long terminated. The only workaround I found was to flush > the ruleset (I guess replacing just that rule would have also worked). > > -- > > Dan Pelleg > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message