From owner-freebsd-ipfw@FreeBSD.ORG Sat May 3 23:28:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 817AB37B401 for ; Sat, 3 May 2003 23:28:26 -0700 (PDT) Received: from ns1.interbgc.com (mail.interbgc.com [217.9.224.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 9BFFB43FBD for ; Sat, 3 May 2003 23:28:23 -0700 (PDT) (envelope-from misho@interbgc.com) Received: (qmail 94430 invoked from network); 4 May 2003 06:28:19 -0000 Received: from misho.cablebg.net (HELO misho) (217.18.242.155) by mail.interbgc.com with SMTP; 4 May 2003 06:28:19 -0000 Message-ID: <002601c31206$5ab1a080$9bf212d9@interbgc.com> From: "Mihail Balikov" To: References: Date: Sun, 4 May 2003 09:28:19 +0300 Organization: Inter-Bg-Com Ltd. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Subject: Re: src-limit trouble X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Mihail Balikov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2003 06:28:26 -0000 this happens when you have more than one rule with "limit" . I have small patch for 4.7 regards, Mihail Balikov ----- Original Message ----- From: To: Sent: Friday, May 02, 2003 8:44 PM Subject: src-limit trouble > > I use ipfw2 with dynamic rule like this: > ipdw add 50 count tcp from any to me dst-port 8000-8005,80 setup limit src-addr 20 > > 1) > In my case, command "ipfw -d sh" can show some "LIMIT" rule without > corresponding "PARENT" rule, for example: > ipfw -d sh | grep remote.ip > 00050 9 861 (62s) LIMIT tcp remote.ip 19098 <-> me.ip 80 > > It's full output, I repeat - no corresponding PARENT rule. > > 2) > If net.inet.ip.fw.dyn_keepalive=1, then > on host accumulated FIN_WAIT_2 connections. > For example: > netstat -an | grep WAIT_2 | wc -l > 2178 > > This FIN_WAIT_2 connection live very long period - 1-1.5 month. > But if set "sysctl -w net.inet.ip.fw.dyn_keepalive=0 " > then after (as minimum 5 min = dyn_ack_lifetime ) number of FIN_WAIT_2 > connections decrease to "normal" - 20-40. I set MSL to 7500. > > Question is: > Why live single LIMIT rule whithout PARENT ? > Why this connection not closed ? > In FreeBSD FIN_WAIT_2 has timer - after 2*MSL (30 sec in > my case) this connection would be closed, isn't ? But with keep-alive > this connection's show in netstat, show in ipfw rules. > > b.r. > Kozin Maxim > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >