Date: Mon, 16 Apr 2007 10:12:40 +0200 From: Ivan Voras <ivoras@fer.hr> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-net@freebsd.org Subject: Re: Understanding ipfw keep-state dynamic rules Message-ID: <46232FF8.2030604@fer.hr> In-Reply-To: <20070415155402.A40022@xorpc.icir.org> References: <evu1b2$c29$1@sea.gmane.org> <20070415145621.B39338@xorpc.icir.org> <4622A227.9090003@fer.hr> <20070415155402.A40022@xorpc.icir.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Luigi Rizzo wrote: > On Mon, Apr 16, 2007 at 12:07:35AM +0200, Ivan Voras wrote: >> Luigi Rizzo wrote: >> >>> yes the numbers should be the expire time for the rule. >> So, the total time the connection was active or the time the connection >> had some traffic through it? > > it is the expire time (i.e. how many seconds from now the rule > will be deleted). It should normally be the preset timeout > (300 as a default for active sessions) minus the time for which > the connection has been idle. So is there a way to find out from this listing which connections have been stalled too long? "Short" expire times may mean closed connections or may mean a rule that's been active for a long time and is now almost expired. > in terms of tcp, on the server you would need to send a FIN > (to signal "no more data from me") followed by a RST (to signal > "i am not listening anymore"). Maybe a shutdown(s, SHUT_RDWR) > can do the job, probably just close() is not enough. > But i am not 100% sure. I can't modify the server. I was hoping ipfw would send a RST to both sides if a rule expires. [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGIy/+ldnAQVacBcgRAkNSAKC/o6/YoSah2wdKA/zZ9mq9ESf/EQCgxN85 Bn2Fvx1SkaFu/jEDD74T9tA= =qOlw -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46232FF8.2030604>