Date: Fri, 2 May 2003 21:44:19 +0400 (MSD) From: maxes@peterlink.ru To: freebsd-ipfw@freebsd.org Subject: src-limit trouble Message-ID: <Pine.BSI.4.40.0305021452430.17519-100000@buratino.peterlink.ru>
next in thread | raw e-mail | index | archive | help
I use ipfw2 with dynamic rule like this: ipdw add 50 count tcp from any to me dst-port 8000-8005,80 setup limit src-addr 20 1) In my case, command "ipfw -d sh" can show some "LIMIT" rule without corresponding "PARENT" rule, for example: ipfw -d sh | grep remote.ip 00050 9 861 (62s) LIMIT tcp remote.ip 19098 <-> me.ip 80 It's full output, I repeat - no corresponding PARENT rule. 2) If net.inet.ip.fw.dyn_keepalive=1, then on host accumulated FIN_WAIT_2 connections. For example: netstat -an | grep WAIT_2 | wc -l 2178 This FIN_WAIT_2 connection live very long period - 1-1.5 month. But if set "sysctl -w net.inet.ip.fw.dyn_keepalive=0 " then after (as minimum 5 min = dyn_ack_lifetime ) number of FIN_WAIT_2 connections decrease to "normal" - 20-40. I set MSL to 7500. Question is: Why live single LIMIT rule whithout PARENT ? Why this connection not closed ? In FreeBSD FIN_WAIT_2 has timer - after 2*MSL (30 sec in my case) this connection would be closed, isn't ? But with keep-alive this connection's show in netstat, show in ipfw rules. b.r. Kozin Maxim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.40.0305021452430.17519-100000>