From owner-freebsd-stable@FreeBSD.ORG  Fri May 30 09:46:21 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EB8E11065670
	for <freebsd-stable@freebsd.org>; Fri, 30 May 2008 09:46:21 +0000 (UTC)
	(envelope-from rblayzor.bulk@inoc.net)
Received: from mx0-b.inoc.net (mx0-b.inoc.net [64.246.130.28])
	by mx1.freebsd.org (Postfix) with ESMTP id 8BC1A8FC2C
	for <freebsd-stable@freebsd.org>; Fri, 30 May 2008 09:46:21 +0000 (UTC)
	(envelope-from rblayzor.bulk@inoc.net)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=inoc.net;
	h=Received:From:To:Subject:Date;
	b=MKyoe79BoIpQFEfTJIfmkC8lZjlGm2MGKd4kT4MAozSL12fNqsXQ+iGg3ztd1K6FoVfVQSaQUpdZqDg+70ZWgPHqPJWALOBszXz8jo5rYxy1Kxu8OJa8Irm1JOrAnU4Dgg5A96bhrzIpxygRrBgI2kU2fkSeg0l08NboflhYRrA=;
Received: from [172.16.0.199] (cpe-67-240-119-200.nycap.res.rr.com
	[67.240.119.200]) 
	by mx0-b.inoc.net (build v8.3.29) with ESMTP id 149071268-1941382 
	for <freebsd-stable@freebsd.org>; Fri, 30 May 2008 09:46:21 +0000 (UTC)
Message-Id: <9DBF00BA-5FD1-402A-8448-0D33B694EE1F@inoc.net>
From: Robert Blayzor <rblayzor.bulk@inoc.net>
To: freebsd-stable@freebsd.org
In-Reply-To: <Pine.BSF.3.96.1080530181243.25862A-100000@gaia.nimnet.asn.au>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v924)
Date: Fri, 30 May 2008 05:46:17 -0400
References: <Pine.BSF.3.96.1080530181243.25862A-100000@gaia.nimnet.asn.au>
X-Mailer: Apple Mail (2.924)
Subject: Re: Sockets stuck in FIN_WAIT_1
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 May 2008 09:46:22 -0000

On May 30, 2008, at 4:41 AM, Ian Smith wrote:
> Without debating your stateful alternative - either should work fine  
> for
> TCP applications - this allowed inbound icmp packets for types  
> 0,3,8,11
> but no outbound icmp at all (assuming your firewall defaults to deny).



Switching the ipfw rules over to be stateful did not help, the server  
just wasn't busy enough.  Overnight the FIN_WAIT_1's continued to pile  
up to over 600... and I'm sure they'll just keep going up until I have  
to reboot the box again.  However Tod's suggestion to use a small sh  
script and tcpdrop seems to at least put a band-aid on things, so I  
don't have to reboot now.

-- 
Robert Blayzor, BOFH
INOC, LLC
rblayzor@inoc.net
http://www.inoc.net/~rblayzor/