Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 30 May 2008 09:43:28 -0700 (PDT)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        Robert Blayzor <rblayzor.bulk@inoc.net>
Cc:        Doug Barton <dougb@freebsd.org>, freebsd-stable@freebsd.org
Subject:   Re: Sockets stuck in FIN_WAIT_1
Message-ID:  <200805301643.m4UGhSa0033918@apollo.backplane.com>
References:  <B42F9BDF-1E00-45FF-BD88-5A07B5B553DC@inoc.net>	<1A19ABA2-61CD-4D92-A08D-5D9650D69768@mac.com>	<23C02C8B-281A-4ABD-8144-3E25E36EDAB4@inoc.net>	<483DE2E0.90003@FreeBSD.org>	<B775700E-7494-42C1-A9B2-A600CE176ACB@inoc.net>	<483E36CE.3060400@FreeBSD.org>	<483E3C26.3060103@paradise.net.nz>	<483E4657.9060906@FreeBSD.org>	<483EA513.4070409@earthlink.net>	<96AFE8D3-7EAC-4A4A-8EFF-35A5DCEC6426@inoc.net>	<483EAED1.2050404@FreeBSD.org>	<200805291912.m4TJCG56025525@apollo.backplane.com>	<14DA211A-A9C5-483A-8CB9-886E5B19A840@inoc.net>	<200805291930.m4TJUeGX025815@apollo.backplane.com>	<0C827F66-09CE-476D-86E9-146AB255926B@inoc.net>	<200805292132.m4TLWhCv026720@apollo.backplane.com>	<CCBAEE3E-35A5-4BF8-A0B7-321272533B62@inoc.net>	<200805300055.m4U0tkqx027965@apollo.backplane.com> <EB975E1A-7995-4214-A2CC-AE2D789B19AB@inoc.net> <483F6F66.4050909@FreeBSD.org> <C1CC6D9D-6584-43BD-8675-021A0495FDA3@inoc.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

:Yes, IPFW is running on the box.  Why not?
:
:-- 
:Robert Blayzor, BOFH
:INOC, LLC
:rblayzor@inoc.net
:http://www.inoc.net/~rblayzor/

    There's nothing wrong with running IPFW on the same box :-)

    But, I think that rule change is masking the problem rather then solving
    it.  The keep-state is limited.  The reason the number of dead connections
    isn't going up is probably because IPFW is either hitting its keep-state
    limit and dropping connections, or the connection becomes idle long 
    enough for IPFW to recycle the keep-state for it, also causing it to
    drop.

    Once the keep-state is lost that deny established rule will cause the
    connection to fail.

    I would be very careful with any type of ruleset (IPFW or PF) which
    relies on keep-state.  You can wind up causing legitimate connections
    to drop if it isn't carefully tuned.

    It might be a reasonable bandaid, though.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805301643.m4UGhSa0033918>