From owner-freebsd-stable@FreeBSD.ORG  Wed May 28 22:49:02 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0E0E9106566C
	for <freebsd-stable@freebsd.org>; Wed, 28 May 2008 22:49:02 +0000 (UTC)
	(envelope-from rblayzor.bulk@inoc.net)
Received: from mx0-a.inoc.net (mx0-a.inoc.net [64.246.130.30])
	by mx1.freebsd.org (Postfix) with ESMTP id A57068FC22
	for <freebsd-stable@freebsd.org>; Wed, 28 May 2008 22:49:01 +0000 (UTC)
	(envelope-from rblayzor.bulk@inoc.net)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=inoc.net;
	h=Received:From:To:Subject:Date;
	b=ID2ujVH9wLSt9E9wtvuHVI0up8J9UZZ/coUaoIZ7ARbieNPU7t6neBZryNn2rU0X23eoVehqgGqJvief2SAMp9iDenJsf0DQ51hLZwGI7NqeWyGSELIBVAE/2+lQyqvyKvILMlZKWxoG2xr15p0/VdkpAPzI3KzJaKVGv0ZSDz4=;
Received: from [172.16.0.199] (cpe-67-240-119-200.nycap.res.rr.com
	[67.240.119.200]) 
	by mx0-a.inoc.net (build v8.3.29) with ESMTP id 157810043-1941382 
	for multiple; Wed, 28 May 2008 22:48:58 +0000 (UTC)
Message-Id: <23C02C8B-281A-4ABD-8144-3E25E36EDAB4@inoc.net>
From: Robert Blayzor <rblayzor.bulk@inoc.net>
To: Chuck Swiger <cswiger@mac.com>
In-Reply-To: <1A19ABA2-61CD-4D92-A08D-5D9650D69768@mac.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v924)
Date: Wed, 28 May 2008 18:48:54 -0400
References: <B42F9BDF-1E00-45FF-BD88-5A07B5B553DC@inoc.net>
	<1A19ABA2-61CD-4D92-A08D-5D9650D69768@mac.com>
X-Mailer: Apple Mail (2.924)
Cc: freebsd-stable@freebsd.org
Subject: Re: Sockets stuck in FIN_WAIT_1
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 May 2008 22:49:02 -0000

On May 28, 2008, at 6:43 PM, Chuck Swiger wrote:
> You didn't mention which version of FreeBSD you are running-- that's  
> rather important info.

Actually, I just checked, this is a 4.11 server, I thought it was  
running at least 6.2.

>> 00200 allow tcp from any to me 80 setup
>> 00200 allow icmp from any to me icmptype 0,3,8,11
>> 00200 deny log ip from any to me
>
> Also, surely these can't be the only IPFW rules you are using?  If  
> you want to use stateful rules, you need a keep-state argument, and  
> you shouldn't be combining allow rules and deny rules into the same  
> ruleset number...



Right, I have a :

00100 allow tcp from any to any established


in there as well, but noted on the later part.

-- 
Robert Blayzor, BOFH
INOC, LLC
rblayzor@inoc.net
http://www.inoc.net/~rblayzor/