Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Mar 2003 15:54:50 +0300 (MSK)
From:      maxes@peterlink.ru
To:        freebsd-ipfw@FreeBSD.ORG
Subject:   dynamic rules: PARENT 65534
Message-ID:  <Pine.BSI.4.40.0303191418460.21469-100000@buratino.peterlink.ru>
next in thread | raw e-mail | index | archive | help 

Hi all

I use  next rules on test server:
ipfw add 01 check-state
ipfw add 15 count log logamount 10 tcp from any to me 8000-8005,80 established
ipfw add 20 allow tcp from any to me 8000-8005,80 setup limit src-addr 20

On test environment all work fine.
But on production server (4.7-RELEASE-p7) occured some strange thing:
ipfw -de sh | grep PARENT
00020          0          0 (2s) PARENT 3 tcp 1.2.3.4 0 <-> 0.0.0.0 0
00020          0          0 (0s) PARENT 4 tcp 1.2.3.5 0 <-> 0.0.0.0 0
00020          0          0 (0s) PARENT 4 tcp 1.2.3.6 0 <-> 0.0.0.0 0
00020          0          0 (0s) PARENT 5 tcp 1.2.3.7 0 <-> 0.0.0.0 0
00020          0          0 (0s) PARENT 65532 tcp 1.2.3.9 0 <-> 0.0.0.0 0
00020          0          0 (0s) PARENT 65534 tcp 1.2.3.10 0 <-> 0.0.0.0 0

After this, client 1.2.3.10 and 1.2.3.9 can't establish connection.
ipfw rule 15 don't log this event
(sysctl  net.inet.ip.fw.verbose_limit=0)
It means that client stopped on check-state phase ?

ipfw -de | grep LIMIT | grep 1.2.3.9
show nothing.

Some time later (10sec-60sec-???) entry with PARENT 6553* go away
and client 1.2.3.9 and 1.2.3.10 can succefully work.

I run "tcpdump -w tst.dump port 80" and in parallel monitored dynamic
rules state with periodicaly exec "ipfw -tde sh | grep PARE | sort -n -k6"
from another prompt.
When rule "PARENT 6553* with IP 1.2.3.4" occured and go away, I stop
tcpdump. In dump not present any packets with (SYN,!ACK) flags for IP
1.2.3.4:
lport  rport info
--------------------------------------------------------------------
http > 1219 [FIN, ACK] Seq=2688856025 Ack=172398756 Win=17520 Len=0
1219 > http [ACK] Seq=172398756 Ack=2688856026 Win=8577 Len=0
1219 > http [RST] Seq=172398756 Ack=2998869406 Win=0 Len=0
http > 1219 [ACK] Seq=2688856025 Ack=172398756 Win=0 Len=0
http > 1219 [RST] Seq=2688856026 Ack=0 Win=0 Len=0
1219 > http [RST] Seq=172398756 Ack=172398756 Win=0 Len=0


p.s.
 65534 and 65532 look very strange, like bug.

p.s.2
 full tcpdump result on demand

b.r.
 Kozin Maxim




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.40.0303191418460.21469-100000>