Site Navigation

Date:      Mon, 21 Mar 2005 18:02:57 +0100
From:      Robert Gogolok <robertgogolok@web.de>
To:        freebsd-questions@freebsd.org
Subject:   FIN_WAIT_2
Message-ID:  <423EFE41.6040805@web.de>

---

next in thread | raw e-mail | index | archive | help

---

I have set up a webserver behind a bridged firewall, something like:

INTERNET --------- FIREWALL --------- WEBSERVER


The webserver is running FreeBSD, and currently I get many FIN_WAIT_2 
states:
# netstat -n -p tcp | grep FIN_WAIT_2 | wc -l 
 

48 
 

 
 

I wonder WHAT is responsible for sending every 5 minutes ACK messages to 
the clients in FIN_WAIT_2 state?
tcp.inet.tcp.always_keepalive seems to be something else

# netstat -n -p tcp | grep FIN_WAIT_2 | grep HTTP_CLIENT 
 

tcp4       0      0  134.96.240.1.80        HTTP_CLIENT.10228 
FIN_WAIT_2 

 
 
 
 

 
 
                            # tcpdump -S -i vr0 dst host HTTP_CLIENT 
 

16:04:12.987415 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 0 

16:04:12.987678 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 32900 

16:08:57.944008 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 0 

16:08:57.944300 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 32900 

. 
 

. 
 

. 
 

17:39:12.124577 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 0 

17:39:12.124862 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 32900 

17:43:57.081176 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 0 

17:43:57.081434 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 32900


The bridged firewall seems to block exactly those ACK's.
The setup is a simple stateful firewall, something like:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -d HTTP_SERVER --dport 80 -j ACCEPT


Is blocking the ACK messages above somehow harmful?


Greetings,
Robert

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?423EFE41.6040805>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact