Date: Mon, 5 Aug 2002 21:21:23 -0400 From: Dan Pelleg <daniel+bsd@pelleg.org> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@FreeBSD.ORG Subject: Re: IPFW2 keep-alive Message-ID: <15695.9363.277821.568101@gargle.gargle.HOWL> In-Reply-To: <20020731152806.B69266@iguana.icir.org> References: <u2sit31royw.fsf@gs166.sp.cs.cmu.edu> <u2sit30hqui.fsf_-_@gs166.sp.cs.cmu.edu> <20020731152806.B69266@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
ok, my problem was that I had net.inet.ip.fw.dyn_rst_lifetime set to 10 (I don't even remember why I did that). This would explain all that we've seen (so you can disregard the personal mail I just sent you). The remote server does send a RST, which (in my case) bumps the timeout on the rule *up*. The next question is if it's worth fixing somehow or is it just another feature :) Luigi Rizzo writes: > The logic works as follows: > when a O_LIMIT or O_KEEP_STATE rule has less than 20 seconds left, > the firewall will send a keepalive packet to both sides every 5 seconds. > > If any of the two responds, then the timeout will be updated > accordingly -- i.e. a regular data packet will reset it up > to 300 seconds or whatever the default is, a RST will put it > down to 1 which is below the threshold for generating a > new keepalive. > > If none responds, the timeout will be left untouched. > > Now i wonder if in your case what happens is that the > remote server is not sending RST for invalid packets, and > you do have a socket in some closing state (or even a mozilla > about to close) still handling the keepalives and replying to them. > > cheers > luigi > > On Sun, Jul 28, 2002 at 10:25:25AM -0400, Dan Pelleg wrote: > > > > What's the exact mechanism to expire dynamic rules under IPFW2? I > > understand it's sending keep-alive packets as the rule is about to > > expire. Is there any way for these to result in the rule being removed? The > > behaviour I'm seeing is this: > > > > During a network partition, the application program (Mozilla) retried to > > connect to remote hosts and opened many connections, eventually hitting the > > LIMIT count. > > > > Now the network is back up. However there is no way to open new > > connections since the appropriate rule's LIMIT is met. Repeated ipfw -d > > show that the rules are refreshed when they have 5-6 seconds to live (and > > go back to 10 seconds or so). I'm not sure what's doing that - the local > > application is long terminated. The only workaround I found was to flush > > the ruleset (I guess replacing just that rule would have also worked). > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15695.9363.277821.568101>