Date: Fri, 04 Apr 2008 21:59:56 +0200 From: Ivan Voras <ivoras@freebsd.org> To: freebsd-net@freebsd.org Subject: Re: Trouble with IPFW or TCP? Message-ID: <ft61c4$ea6$1@ger.gmane.org> In-Reply-To: <Pine.BSF.3.96.1080405010904.6611B-100000@gaia.nimnet.asn.au> References: <47F5B17E.5000304@elischer.org> <Pine.BSF.3.96.1080405010904.6611B-100000@gaia.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig99AEA128A080BA6C64C18C77 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Ian Smith wrote: > That's pretty well described under keep-state and elsewhere. Good ol' > ipfw(8) has yet to let me down, and like Ivan I recall keep-state rules= > (albeit only for UDP) without any check-state working just fine. >=20 > Not that any of that helps solve Ivan's problem .. Thanks for verifying this. I've reread what I posted and I think I=20 wasn't clear about one thing: it's not exactly a "hard" problem - as I=20 said, connections do get established and apparently they get processed=20 (the effects of those HTTPS messages are present). What troubles me is=20 that I wouldn't expect that to happen, considering the ipfw log messages = I've posted. In short, either: a) The senders (or something in between like a broken router; but note=20 that the 7.x machine behind the same infrastructure isn't generating the = symptomatic log records) keeps sending spurious packets long after the=20 TCP session (communication) is actually completed. Someone with better=20 knowledge of TCP flows could maybe verify that. HTTPS messages are sent=20 every 15 minutes and I'd expect various timers to timeout the connection = if the ACKs aren't processed. b) The receiving side somehow bounces the packets around, reinserting=20 them after the TCP session is done. This would be weird. The server from = which the posted logs and traces come from isn't running anything=20 special like netgraph, bpf applications, routed. It's basically a web=20 server. --------------enig99AEA128A080BA6C64C18C77 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH9ojCldnAQVacBcgRAlQCAJ0V86n0rpMZv4jVLrQYLDNOHwZMhwCfTlro FaOKsMd148RLICQ+r/pmQ1I= =VGS4 -----END PGP SIGNATURE----- --------------enig99AEA128A080BA6C64C18C77--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ft61c4$ea6$1>