From owner-freebsd-net@FreeBSD.ORG Tue Apr 17 19:48:22 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 56C861065670 for ; Tue, 17 Apr 2012 19:48:22 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id D970D8FC21 for ; Tue, 17 Apr 2012 19:48:21 +0000 (UTC) Received: by wgbds12 with SMTP id ds12so6562716wgb.31 for ; Tue, 17 Apr 2012 12:48:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=U1imaYM2g+6oQjm6n2ikZuNMCNeyYEM4QZQEVuilhys=; b=gfhoJS59jTE1sP6IT4gvNEynJ7Vr3/R1n1rWUR7xXKAmJmOJAhb4FVp8pe8guklzi+ fJlzzcn17bS35DOUT2N1/5jCIA9lNvuNcRZmC6/BwPTyf2JKqSnVq0lyZKkahRHa0oNc wCEpKTM8/3upVSOzrL7GNNftOD8lHTyZ2ASg67RyD98hNgpTlwssroryx2ruTbFiaMaD 0APMfiNDPDcYaSDMfPjm4o6CpBNPA3pwxzE1bthu8aS/3ZIDnBygAHn63J2hneu/gMdB 8/h3dan799YdajfRSPmeQr4xRh8VxLEs4SPmk0ultdjdaj1bgw5/BBw9F4aZSrF4ETVf 8Udw== MIME-Version: 1.0 Received: by 10.180.105.194 with SMTP id go2mr8262117wib.22.1334692101097; Tue, 17 Apr 2012 12:48:21 -0700 (PDT) Received: by 10.223.54.207 with HTTP; Tue, 17 Apr 2012 12:48:21 -0700 (PDT) In-Reply-To: References: Date: Tue, 17 Apr 2012 12:48:21 -0700 Message-ID: From: Kevin Oberman To: "Dmitry S. Kasterin" Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-net@freebsd.org Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2012 19:48:22 -0000 On Tue, Apr 17, 2012 at 4:05 AM, Dmitry S. Kasterin wrote: > (Cross-posting this to net@ since there was no reply on ipfw@.) > > Hello! > > I have rather simple ipfw ruleset like this: > > 00001 allow all from any to any via lo0 > > 00010 check-state > 00101 allow tcp from me to any out setup keep-state > > 65533 deny log ip from any to any > 65534 deny ip6 from any to any > > Actually, there are a few rules for upd, icmp and so on, > but the main idea here is to allow only outgoing (tcp) connections > and handle them using dynamic rules. I feel hesitant about sending this as it looks like you may have found a real problem with IPFW. But I do have to ask why you find statefull rules for outgoing TCP connections desirable? Why not: 00101 allow tcp from me to any established It appears to do the same thing for TCP and is much faster to process plus it does not leave you open to trivial DOS (often of yourself) by filling the dynamic rule tables. Generally, for client systems, stateful UDP makes sense, but I generally don't understand why people choose the more complex, slower, and potentially disruptive stateful rules for TCP. -- R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com