From owner-freebsd-net@FreeBSD.ORG Tue Apr 17 05:05:31 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 27DBF16A404 for ; Tue, 17 Apr 2007 05:05:31 +0000 (UTC) (envelope-from ivoras@fer.hr) Received: from pinus.cc.fer.hr (pinus.cc.fer.hr [161.53.73.18]) by mx1.freebsd.org (Postfix) with ESMTP id 2219313C469 for ; Tue, 17 Apr 2007 05:05:25 +0000 (UTC) (envelope-from ivoras@fer.hr) Received: from [161.53.72.113] (lara.cc.fer.hr [161.53.72.113]) by pinus.cc.fer.hr (8.12.2/8.12.2) with ESMTP id l3G8LP3f005183; Mon, 16 Apr 2007 10:21:25 +0200 (MEST) Message-ID: <46232FF8.2030604@fer.hr> Date: Mon, 16 Apr 2007 10:12:40 +0200 From: Ivan Voras User-Agent: Thunderbird 1.5.0.10 (X11/20060911) MIME-Version: 1.0 To: Luigi Rizzo References: <20070415145621.B39338@xorpc.icir.org> <4622A227.9090003@fer.hr> <20070415155402.A40022@xorpc.icir.org> In-Reply-To: <20070415155402.A40022@xorpc.icir.org> X-Enigmail-Version: 0.94.2.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigA70F5668284487A1C97D1AE5" Cc: freebsd-net@freebsd.org Subject: Re: Understanding ipfw keep-state dynamic rules X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2007 05:05:31 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA70F5668284487A1C97D1AE5 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Luigi Rizzo wrote: > On Mon, Apr 16, 2007 at 12:07:35AM +0200, Ivan Voras wrote: >> Luigi Rizzo wrote: >> >>> yes the numbers should be the expire time for the rule. >> So, the total time the connection was active or the time the connectio= n >> had some traffic through it? >=20 > it is the expire time (i.e. how many seconds from now the rule > will be deleted). It should normally be the preset timeout > (300 as a default for active sessions) minus the time for which > the connection has been idle. So is there a way to find out from this listing which connections have=20 been stalled too long? "Short" expire times may mean closed connections=20 or may mean a rule that's been active for a long time and is now almost=20 expired. > in terms of tcp, on the server you would need to send a FIN > (to signal "no more data from me") followed by a RST (to signal > "i am not listening anymore"). Maybe a shutdown(s, SHUT_RDWR) > can do the job, probably just close() is not enough. > But i am not 100% sure. I can't modify the server. I was hoping ipfw would send a RST to both=20 sides if a rule expires. --------------enigA70F5668284487A1C97D1AE5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGIy/+ldnAQVacBcgRAkNSAKC/o6/YoSah2wdKA/zZ9mq9ESf/EQCgxN85 Bn2Fvx1SkaFu/jEDD74T9tA= =qOlw -----END PGP SIGNATURE----- --------------enigA70F5668284487A1C97D1AE5--