From owner-freebsd-net@FreeBSD.ORG Sat Apr 21 11:41:37 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0A1C106566C for ; Sat, 21 Apr 2012 11:41:37 +0000 (UTC) (envelope-from dmk.sbor@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 742CA8FC0C for ; Sat, 21 Apr 2012 11:41:37 +0000 (UTC) Received: by ghrr20 with SMTP id r20so6731169ghr.13 for ; Sat, 21 Apr 2012 04:41:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KSiEbTRTk2v1kmBG39n3xjD4U7Qk1lxK9M5KjBtEmg8=; b=mFqr7218iUnL9ehTF6FsZdPiY+py8M1Km5bttvedxrQIp+lMwntxraG+N1f4P793SD 6sItxYl27OgmjL4HZ7d91lXYIG6SgF3rMeXuDlcusRol+InbK9eolJAvCKQYEkfJS0JY i/qqWmWbnSyr359bRSU9B98FMoTjPPK4NFrnR3nkkK/xfKHmW1T4vD6zDjDMbLVHmgRQ j3N3/7y2A+BD5XpVDwpJU7vwrRvIhDbQ/fzno6yppaUPNOok2g+1JMF+G2sZmxuRfQ/N /BXXmBTezH7bf5medRr+RuncLhh/gFZcRu7cBAnyE5H3B5GNawVXOSfimdKvS4cp44pY Wq2A== MIME-Version: 1.0 Received: by 10.101.11.28 with SMTP id o28mr2827717ani.68.1335008490830; Sat, 21 Apr 2012 04:41:30 -0700 (PDT) Received: by 10.146.168.1 with HTTP; Sat, 21 Apr 2012 04:41:30 -0700 (PDT) In-Reply-To: References: Date: Sat, 21 Apr 2012 15:41:30 +0400 Message-ID: From: "Dmitry S. Kasterin" To: Kevin Oberman Content-Type: text/plain; charset=UTF-8 Cc: freebsd-net@freebsd.org Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Apr 2012 11:41:37 -0000 >> # sysctl net.inet.ip.fw.dyn_fin_lifetime=4 >> net.inet.ip.fw.dyn_fin_lifetime: 1 -> 4 >> # sysctl net.inet.ip.fw.dyn_rst_lifetime=4 >> net.inet.ip.fw.dyn_rst_lifetime: 1 -> 4 > The thing that jumps out is that all of the blocked packets are of FIN > packets. I am not sure why they are being denied as they have FIN+ACK > and that should meet the requirements for 'established". Sorry, it is not clear from my text that the second part of the previous message concerns stateful/dynamic filtering. Stateless filtering works perfectly for me. For stateless (tcp) filtering I've used the following rules: 00101 allow tcp from any to any established 00102 allow tcp from me to any setup And for stateful: 00010 check-state 00101 allow tcp from me to any out setup keep-state > Are you seeing a large number of TCP sessions in partially closed states? Yes, with the default settings (dyn_fin_lifetime=1 and dyn_rst_lifetime=1). With dyn_fin_lifetime=4 and dyn_rst_lifetime=4 this number is fewer. > I don't recall if you mentioned it, but what version of FreeBSD are you > running? 9.0-STABLE / custom kernel > Also, if > you choose to use stateful TCP filtering, it is probably best to do it > in the manner shown in the ipfw(8) man page under DYNAMIC RULES. This > is very different from the way you did it. The "DYNAMIC RULES" section gives the following recommendation: ipfw add check-state ipfw add deny tcp from any to any established ipfw add allow tcp from my-net to any setup keep-state Is the second rule necessary?