Date: Mon, 16 Apr 2007 10:12:40 +0200 From: Ivan Voras <ivoras@fer.hr> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-net@freebsd.org Subject: Re: Understanding ipfw keep-state dynamic rules Message-ID: <46232FF8.2030604@fer.hr> In-Reply-To: <20070415155402.A40022@xorpc.icir.org> References: <evu1b2$c29$1@sea.gmane.org> <20070415145621.B39338@xorpc.icir.org> <4622A227.9090003@fer.hr> <20070415155402.A40022@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA70F5668284487A1C97D1AE5 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Luigi Rizzo wrote: > On Mon, Apr 16, 2007 at 12:07:35AM +0200, Ivan Voras wrote: >> Luigi Rizzo wrote: >> >>> yes the numbers should be the expire time for the rule. >> So, the total time the connection was active or the time the connectio= n >> had some traffic through it? >=20 > it is the expire time (i.e. how many seconds from now the rule > will be deleted). It should normally be the preset timeout > (300 as a default for active sessions) minus the time for which > the connection has been idle. So is there a way to find out from this listing which connections have=20 been stalled too long? "Short" expire times may mean closed connections=20 or may mean a rule that's been active for a long time and is now almost=20 expired. > in terms of tcp, on the server you would need to send a FIN > (to signal "no more data from me") followed by a RST (to signal > "i am not listening anymore"). Maybe a shutdown(s, SHUT_RDWR) > can do the job, probably just close() is not enough. > But i am not 100% sure. I can't modify the server. I was hoping ipfw would send a RST to both=20 sides if a rule expires. --------------enigA70F5668284487A1C97D1AE5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGIy/+ldnAQVacBcgRAkNSAKC/o6/YoSah2wdKA/zZ9mq9ESf/EQCgxN85 Bn2Fvx1SkaFu/jEDD74T9tA= =qOlw -----END PGP SIGNATURE----- --------------enigA70F5668284487A1C97D1AE5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46232FF8.2030604>