From owner-freebsd-net@FreeBSD.ORG  Sun Apr 15 21:56:23 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 29FE716A400
	for <freebsd-net@freebsd.org>; Sun, 15 Apr 2007 21:56:23 +0000 (UTC)
	(envelope-from rizzo@icir.org)
Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68])
	by mx1.freebsd.org (Postfix) with ESMTP id 174EF13C4AE
	for <freebsd-net@freebsd.org>; Sun, 15 Apr 2007 21:56:23 +0000 (UTC)
	(envelope-from rizzo@icir.org)
Received: from xorpc.icir.org (localhost [127.0.0.1])
	by xorpc.icir.org (8.12.11/8.13.6) with ESMTP id l3FLuLES039530;
	Sun, 15 Apr 2007 14:56:21 -0700 (PDT)
	(envelope-from rizzo@xorpc.icir.org)
Received: (from rizzo@localhost)
	by xorpc.icir.org (8.12.11/8.12.3/Submit) id l3FLuLw7039529;
	Sun, 15 Apr 2007 14:56:21 -0700 (PDT) (envelope-from rizzo)
Date: Sun, 15 Apr 2007 14:56:21 -0700
From: Luigi Rizzo <rizzo@icir.org>
To: Ivan Voras <ivoras@fer.hr>
Message-ID: <20070415145621.B39338@xorpc.icir.org>
References: <evu1b2$c29$1@sea.gmane.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <evu1b2$c29$1@sea.gmane.org>;
	from ivoras@fer.hr on Sun, Apr 15, 2007 at 10:18:36PM +0200
Cc: freebsd-net@freebsd.org
Subject: Re: Understanding ipfw keep-state dynamic rules
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Apr 2007 21:56:23 -0000

On Sun, Apr 15, 2007 at 10:18:36PM +0200, Ivan Voras wrote:
> On a rule:
> 
> 06080  40997628  30756672556 allow tcp from any to me dst-port 80 setup
> keep-state
> 
> ipfw -d show lists:
> 
> ## Dynamic rules (774):
> 06080       948        38731 (108s) STATE tcp xx.172.115.202 1421 <->
> my.ip.add.r 80
> 06080       985        42716 (83s) STATE tcp xx.67.223.104 1071 <->
> my.ip.add.r 80
...

> This is on a busy, but fast and fat-piped web server.
> 
> Do the numbers in parentheses mean seconds the rule is active? The
> numbers seem very high, much higher that they should be (keepalive is
> active but the timeout is kept under 5 seconds, and the pages & files
> are mostly small).

yes the numbers should be the expire time for the rule.
ipfw has a default timeout of 300, and the it only uses the
"short" lifetimes when the remote end properly closes the
connection with a FIN. If it doesn't, then the firewall
cannot put a short timeout because the other endpoint
could in principle want to send more data on the connection
and we need to let it through.

check the values of these sysctl variables

	net.inet.ip.fw.dyn_keepalive: 1
	net.inet.ip.fw.dyn_short_lifetime: 5
	net.inet.ip.fw.dyn_udp_lifetime: 10
	net.inet.ip.fw.dyn_rst_lifetime: 1
	net.inet.ip.fw.dyn_fin_lifetime: 1
	net.inet.ip.fw.dyn_syn_lifetime: 20
	net.inet.ip.fw.dyn_ack_lifetime: 300

you normally end up using dyn_ack_lifetime for TCP session

cheers
luigi