From owner-freebsd-net@FreeBSD.ORG Fri Apr 4 20:00:14 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E408B106566B for ; Fri, 4 Apr 2008 20:00:14 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 5F4098FC21 for ; Fri, 4 Apr 2008 20:00:14 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1Jhs54-0007O3-Fe for freebsd-net@freebsd.org; Fri, 04 Apr 2008 20:00:10 +0000 Received: from 89-172-58-186.adsl.net.t-com.hr ([89.172.58.186]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 04 Apr 2008 20:00:10 +0000 Received: from ivoras by 89-172-58-186.adsl.net.t-com.hr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 04 Apr 2008 20:00:10 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-net@freebsd.org From: Ivan Voras Date: Fri, 04 Apr 2008 21:59:56 +0200 Lines: 57 Message-ID: References: <47F5B17E.5000304@elischer.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig99AEA128A080BA6C64C18C77" X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 89-172-58-186.adsl.net.t-com.hr User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) In-Reply-To: X-Enigmail-Version: 0.95.6 Sender: news Subject: Re: Trouble with IPFW or TCP? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2008 20:00:15 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig99AEA128A080BA6C64C18C77 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Ian Smith wrote: > That's pretty well described under keep-state and elsewhere. Good ol' > ipfw(8) has yet to let me down, and like Ivan I recall keep-state rules= > (albeit only for UDP) without any check-state working just fine. >=20 > Not that any of that helps solve Ivan's problem .. Thanks for verifying this. I've reread what I posted and I think I=20 wasn't clear about one thing: it's not exactly a "hard" problem - as I=20 said, connections do get established and apparently they get processed=20 (the effects of those HTTPS messages are present). What troubles me is=20 that I wouldn't expect that to happen, considering the ipfw log messages = I've posted. In short, either: a) The senders (or something in between like a broken router; but note=20 that the 7.x machine behind the same infrastructure isn't generating the = symptomatic log records) keeps sending spurious packets long after the=20 TCP session (communication) is actually completed. Someone with better=20 knowledge of TCP flows could maybe verify that. HTTPS messages are sent=20 every 15 minutes and I'd expect various timers to timeout the connection = if the ACKs aren't processed. b) The receiving side somehow bounces the packets around, reinserting=20 them after the TCP session is done. This would be weird. The server from = which the posted logs and traces come from isn't running anything=20 special like netgraph, bpf applications, routed. It's basically a web=20 server. --------------enig99AEA128A080BA6C64C18C77 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH9ojCldnAQVacBcgRAlQCAJ0V86n0rpMZv4jVLrQYLDNOHwZMhwCfTlro FaOKsMd148RLICQ+r/pmQ1I= =VGS4 -----END PGP SIGNATURE----- --------------enig99AEA128A080BA6C64C18C77--