From owner-freebsd-stable@FreeBSD.ORG  Fri May 30 09:32:04 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 225701065671
	for <freebsd-stable@freebsd.org>; Fri, 30 May 2008 09:32:04 +0000 (UTC)
	(envelope-from rblayzor.bulk@inoc.net)
Received: from mx1-a.inoc.net (mx1-a.inoc.net [64.246.131.30])
	by mx1.freebsd.org (Postfix) with ESMTP id B46798FC19
	for <freebsd-stable@freebsd.org>; Fri, 30 May 2008 09:32:03 +0000 (UTC)
	(envelope-from rblayzor.bulk@inoc.net)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=inoc.net;
	h=Received:From:To:Subject:Date;
	b=oQxJlgFZnToBLbrQb2/I8BFE4c1DB/AUiK7/L1ESH/ByyMIfFu/5NFH7lRePSPqwEs4H87s1y4/bYc2CTKYMuad2/IKhyBEVidgwhrENuODmk+2obGD6j+fWft0RLl+xiovLUN/b2YpM9y6dw8DsBdMEchJDEAmnGt6g9JCE3kM=;
Received: from [172.16.0.199] (cpe-67-240-119-200.nycap.res.rr.com
	[67.240.119.200]) 
	by mx1-a.inoc.net (build v8.3.29) with ESMTP id 148610351-1941382 
	for multiple; Fri, 30 May 2008 09:31:54 +0000 (UTC)
Message-Id: <2F37E54D-BB78-431E-87D0-A7976BE203C3@inoc.net>
From: Robert Blayzor <rblayzor.bulk@inoc.net>
To: Ian Smith <smithi@nimnet.asn.au>
In-Reply-To: <Pine.BSF.3.96.1080530181243.25862A-100000@gaia.nimnet.asn.au>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v924)
Date: Fri, 30 May 2008 05:31:50 -0400
References: <Pine.BSF.3.96.1080530181243.25862A-100000@gaia.nimnet.asn.au>
X-Mailer: Apple Mail (2.924)
Cc: freebsd-stable@freebsd.org
Subject: Re: Sockets stuck in FIN_WAIT_1
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 May 2008 09:32:04 -0000

On May 30, 2008, at 4:41 AM, Ian Smith wrote:
> Without debating your stateful alternative - either should work fine  
> for
> TCP applications - this allowed inbound icmp packets for types  
> 0,3,8,11
> but no outbound icmp at all (assuming your firewall defaults to deny).



I didn't post all the rules, just the TCP based ones for the web  
server.  I don't have an outbound send restriction.  I believe I have a:

permit ip from me to any out

In there somewhere! ;-)

-- 
Robert Blayzor, BOFH
INOC, LLC
rblayzor@inoc.net
http://www.inoc.net/~rblayzor/