From owner-freebsd-questions@FreeBSD.ORG  Tue Oct 13 18:39:51 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1EFD81065670
	for <freebsd-questions@freebsd.org>;
	Tue, 13 Oct 2009 18:39:51 +0000 (UTC) (envelope-from cswiger@mac.com)
Received: from asmtpout016.mac.com (asmtpout016.mac.com [17.148.16.91])
	by mx1.freebsd.org (Postfix) with ESMTP id 0BCC38FC1B
	for <freebsd-questions@freebsd.org>;
	Tue, 13 Oct 2009 18:39:50 +0000 (UTC)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Received: from cswiger1.apple.com ([17.227.140.124])
	by asmtp016.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01
	(built Dec
	16 2008; 32bit)) with ESMTPSA id <0KRG00EFTUICDK00@asmtp016.mac.com> for
	freebsd-questions@freebsd.org; Tue, 13 Oct 2009 11:39:50 -0700 (PDT)
Message-id: <B20ABCEA-21D4-47D6-8465-1C82D3F4EAA3@mac.com>
From: Chuck Swiger <cswiger@mac.com>
To: Martin Turgeon <freebsd@optiksecurite.com>
In-reply-to: <4AD4B9EA.5070304@optiksecurite.com>
Date: Tue, 13 Oct 2009 11:39:48 -0700
References: <4AD4B9EA.5070304@optiksecurite.com>
X-Mailer: Apple Mail (2.936)
Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject: Re: How can I get >100 connections in FIN_WAIT_2 state from the same
 IP?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2009 18:39:51 -0000

On Oct 13, 2009, at 10:33 AM, Martin Turgeon wrote:
> I would like to know if anyone knows the reason why I get a lot of
> connections (more than 100) from the same IP in FIN_WAIT_2 state.

That IP is probably running a web proxy or possibly some kind of  
spider.  It could also be malicious, trying to exploit webserver  
vulnerabilities, etc-- search your logs for that IP and see what it is  
doing.

> In this case the connections are on port 80. Is it a problem with the
> client's browser or OS? Is it possible that some mobile devices  
> doesn't
> close their connections correctly to save bandwidth and battery?

Yes, it's not uncommon for various platforms to simply drop  
connections rather than closing them properly.  You can run tcpdrop to  
forcibly get rid of them, but they should time out within a few  
minutes anyway.  If you believe the remote IP is being abusive,  
consider firewalling it....

Regards,
-- 
-Chuck