Date: Fri, 16 May 2008 13:33:13 -0500 From: Mark Kane <mark@mkproductions.org> To: freebsd-questions@freebsd.org Subject: ipfw, limit, and lots of connections in FIN_WAIT_2 state Message-ID: <20080516133313.1f94df22@mkproductions.org>
next in thread | raw e-mail | index | archive | help
Hi everyone. I use ipfw on one of our servers to help protect against some HTTP attacks we were receiving recently. The rules are very basic but were helping with the type of attack we were receiving: ===================================== flush="/sbin/ipfw -q flush" cmd="/sbin/ipfw -q add" $flush $cmd 0001 allow all from any to any via lo0 $cmd 0002 allow all from 127.0.0.1 to 127.0.0.1 $cmd 0003 check-state $cmd 3000 allow tcp from any to me 80 setup limit src-addr 15 $cmd 65003 allow all from any to any ===================================== The issue with this setup though is that when "limit" is used and there is a dynamic rule for the traffic, lots of connections build up in the FIN_WAIT_2 state. I have recently seen numbers in the upper hundreds and they stay around for a long time. Without the limiting or dynamic rules I don't recall any noticeable amount of FIN_WAIT_2 connections. This has been causing problems for some visitors because connections from their IP are building up and reaching the limit. The limit part works great, but all the connections shown in ipfw's dynamic rules list for some IPs are in the FIN_WAIT_2 state which is reaching the limit and then not allowing any new traffic in from them. Then websites hosted here appear down and most of the visitors wouldn't have any idea what's going on. The description in the last paragraph of this reply sounds just like the issue: http://lists.freebsd.org/pipermail/freebsd-questions/2007-February/142745.html Are there any things that can be done on the server end to help with this? Thanks in advance for any input. -Mark -- Internet Radio: Party107 (Trance/Electronic) - http://www.party107.com Rock 101.9 The Edge (Rock) - http://www.rock1019.net IRC: MIXXnet IRC Network - irc.mixxnet.net (Nick: MIXX941)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080516133313.1f94df22>