Date: Sun, 15 Apr 2007 14:56:21 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Ivan Voras <ivoras@fer.hr> Cc: freebsd-net@freebsd.org Subject: Re: Understanding ipfw keep-state dynamic rules Message-ID: <20070415145621.B39338@xorpc.icir.org> In-Reply-To: <evu1b2$c29$1@sea.gmane.org>; from ivoras@fer.hr on Sun, Apr 15, 2007 at 10:18:36PM %2B0200 References: <evu1b2$c29$1@sea.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 15, 2007 at 10:18:36PM +0200, Ivan Voras wrote: > On a rule: > > 06080 40997628 30756672556 allow tcp from any to me dst-port 80 setup > keep-state > > ipfw -d show lists: > > ## Dynamic rules (774): > 06080 948 38731 (108s) STATE tcp xx.172.115.202 1421 <-> > my.ip.add.r 80 > 06080 985 42716 (83s) STATE tcp xx.67.223.104 1071 <-> > my.ip.add.r 80 ... > This is on a busy, but fast and fat-piped web server. > > Do the numbers in parentheses mean seconds the rule is active? The > numbers seem very high, much higher that they should be (keepalive is > active but the timeout is kept under 5 seconds, and the pages & files > are mostly small). yes the numbers should be the expire time for the rule. ipfw has a default timeout of 300, and the it only uses the "short" lifetimes when the remote end properly closes the connection with a FIN. If it doesn't, then the firewall cannot put a short timeout because the other endpoint could in principle want to send more data on the connection and we need to let it through. check the values of these sysctl variables net.inet.ip.fw.dyn_keepalive: 1 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_ack_lifetime: 300 you normally end up using dyn_ack_lifetime for TCP session cheers luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070415145621.B39338>