Date: Mon, 24 Oct 2005 04:18:27 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Nicolas KOWALSKI <Nicolas.Kowalski@imag.fr> Cc: freebsd-net@FreeBSD.org Subject: Re: FreeBSD NFS server not responding to TCP SYN packets from Linux/SunOS clients Message-ID: <20051024041109.E26073@odysseus.silby.com> In-Reply-To: <vqo7jcgs175.fsf@obiou.imag.fr> References: <Pine.LNX.4.64.0510141021290.22064@corbeau.imag.fr> <20051014160128.hev160v52ossokg0@wwws.cs.ait.ac.th> <20051014045824.V5343@odysseus.silby.com> <vqo7jcgs175.fsf@obiou.imag.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry for the delay, you took me out of the To: listing, so the message just went into my lists box, which I didn't get to until today. On Fri, 14 Oct 2005, Nicolas KOWALSKI wrote: >> Assuming that port reuse is the problem, there is no quick fix for >> this, just resetting connections when a SYN comes in would be a >> really big security problem. > > Really? Are Linux and Solaris that insecure because of this behaviour? Not necessarily - there are a bunch of different ways to handle the situation better than we do at present. I don't know how Solaris/Linux do it right now, nor have I had time to implement an improvement for FreeBSD. Maybe in January I'll have time. >> Actually, there may be a quick fix for this specific machine. If you >> set net.inet.tcp.keepidle to 1 minute (60*whatever kern.hz is), >> that'll cause keepalive packets to be sent every minute to an idle >> connection, rather than every 2 hours. That would kill the stuck >> connections much quicker. > > Unfortunately, this does not work as expected. I just tested with my > workstation (Linux 2.6), with NFS filesystems mounted with TCP; when > the station rebooted abruptely, mounting the same NFS filesystems hung > more than 1 minute (15 minutes just now). During this hang, I saw on > the server, using netstat, the nfsd process related to my workstation > in ESTABLISHED state. > > Any other tip? > > Many Thanks in advance, > -- > Nicolas Ok, I have one other quick fix idea, but it's a bit crazy. ipfw is supposed to send keepalive packets when rules go idle and are about to expire. So, if you make a keep-state rule for incoming connections, then maybe ipfw would somehow close down the dead connection. Mike "Silby" Silbersack
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051024041109.E26073>