From owner-freebsd-net@FreeBSD.ORG Mon Oct 24 09:18:33 2005 Return-Path: X-Original-To: freebsd-net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE75316A41F for ; Mon, 24 Oct 2005 09:18:33 +0000 (GMT) (envelope-from silby@silby.com) Received: from relay01.pair.com (relay01.pair.com [209.68.5.15]) by mx1.FreeBSD.org (Postfix) with SMTP id 7AB3D43D45 for ; Mon, 24 Oct 2005 09:18:33 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 66770 invoked from network); 24 Oct 2005 09:18:31 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 24 Oct 2005 09:18:31 -0000 X-pair-Authenticated: 209.68.2.70 Date: Mon, 24 Oct 2005 04:18:27 -0500 (CDT) From: Mike Silbersack To: Nicolas KOWALSKI In-Reply-To: Message-ID: <20051024041109.E26073@odysseus.silby.com> References: <20051014160128.hev160v52ossokg0@wwws.cs.ait.ac.th> <20051014045824.V5343@odysseus.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@FreeBSD.org Subject: Re: FreeBSD NFS server not responding to TCP SYN packets from Linux/SunOS clients X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 09:18:34 -0000 Sorry for the delay, you took me out of the To: listing, so the message just went into my lists box, which I didn't get to until today. On Fri, 14 Oct 2005, Nicolas KOWALSKI wrote: >> Assuming that port reuse is the problem, there is no quick fix for >> this, just resetting connections when a SYN comes in would be a >> really big security problem. > > Really? Are Linux and Solaris that insecure because of this behaviour? Not necessarily - there are a bunch of different ways to handle the situation better than we do at present. I don't know how Solaris/Linux do it right now, nor have I had time to implement an improvement for FreeBSD. Maybe in January I'll have time. >> Actually, there may be a quick fix for this specific machine. If you >> set net.inet.tcp.keepidle to 1 minute (60*whatever kern.hz is), >> that'll cause keepalive packets to be sent every minute to an idle >> connection, rather than every 2 hours. That would kill the stuck >> connections much quicker. > > Unfortunately, this does not work as expected. I just tested with my > workstation (Linux 2.6), with NFS filesystems mounted with TCP; when > the station rebooted abruptely, mounting the same NFS filesystems hung > more than 1 minute (15 minutes just now). During this hang, I saw on > the server, using netstat, the nfsd process related to my workstation > in ESTABLISHED state. > > Any other tip? > > Many Thanks in advance, > -- > Nicolas Ok, I have one other quick fix idea, but it's a bit crazy. ipfw is supposed to send keepalive packets when rules go idle and are about to expire. So, if you make a keep-state rule for incoming connections, then maybe ipfw would somehow close down the dead connection. Mike "Silby" Silbersack