From owner-freebsd-questions@FreeBSD.ORG Mon Mar 21 17:03:18 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D59A16A4CE for ; Mon, 21 Mar 2005 17:03:18 +0000 (GMT) Received: from uni-sb.de (uni-sb.de [134.96.252.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D1EE43D5D for ; Mon, 21 Mar 2005 17:03:17 +0000 (GMT) (envelope-from robertgogolok@web.de) Received: from cs.uni-sb.de (cs.uni-sb.de [134.96.252.31]) by uni-sb.de (8.13.3/2005020900) with ESMTP id j2LH3E5p020826 for ; Mon, 21 Mar 2005 18:03:15 +0100 (CET) Received: from mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) by cs.uni-sb.de (8.13.3/2005011400) with ESMTP id j2LH3DtN011101 for ; Mon, 21 Mar 2005 18:03:14 +0100 (CET) Received: from xantippe (xantippe.cs.uni-sb.de [134.96.240.13]) by mail.cs.uni-sb.de (8.13.3/2005020900) with ESMTP id j2LH3DIe011428 for ; Mon, 21 Mar 2005 18:03:13 +0100 (CET) X-Authentication-Warning: mail.cs.uni-sb.de: Host xantippe.cs.uni-sb.de [134.96.240.13] claimed to be xantippe Received: from eugene.cs.uni-sb.de ([127.0.0.1]) [134.96.240.6] by xantippe with esmtp (Exim 3.35 #1 (Debian))id 1DDQJ7-0007T6-00 for ; Mon, 21 Mar 2005 18:03:13 +0100 Message-ID: <423EFE41.6040805@web.de> Date: Mon, 21 Mar 2005 18:02:57 +0100 From: Robert Gogolok User-Agent: Mozilla Thunderbird 1.0 (X11/20050313) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: FIN_WAIT_2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Mar 2005 17:03:18 -0000 I have set up a webserver behind a bridged firewall, something like: INTERNET --------- FIREWALL --------- WEBSERVER The webserver is running FreeBSD, and currently I get many FIN_WAIT_2 states: # netstat -n -p tcp | grep FIN_WAIT_2 | wc -l 48 I wonder WHAT is responsible for sending every 5 minutes ACK messages to the clients in FIN_WAIT_2 state? tcp.inet.tcp.always_keepalive seems to be something else # netstat -n -p tcp | grep FIN_WAIT_2 | grep HTTP_CLIENT tcp4 0 0 134.96.240.1.80 HTTP_CLIENT.10228 FIN_WAIT_2 # tcpdump -S -i vr0 dst host HTTP_CLIENT 16:04:12.987415 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 1760359226 win 0 16:04:12.987678 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 1760359226 win 32900 16:08:57.944008 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 1760359226 win 0 16:08:57.944300 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 1760359226 win 32900 . . . 17:39:12.124577 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 1760359226 win 0 17:39:12.124862 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 1760359226 win 32900 17:43:57.081176 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 1760359226 win 0 17:43:57.081434 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 1760359226 win 32900 The bridged firewall seems to block exactly those ACK's. The setup is a simple stateful firewall, something like: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -d HTTP_SERVER --dport 80 -j ACCEPT Is blocking the ACK messages above somehow harmful? Greetings, Robert