Date: Fri, 20 Apr 2012 22:55:03 +0400 From: "Dmitry S. Kasterin" <dmk.sbor@gmail.com> To: Kevin Oberman <kob6558@gmail.com> Cc: freebsd-net@freebsd.org, Michael Sierchio <kudzu@tenebras.com> Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states Message-ID: <CAJkxAbwYUtcyXGFEiXiZXLEzf9EPTTwdq1-y-ngT6OuKXk1o2A@mail.gmail.com> In-Reply-To: <CAJkxAbyG1%2Bkc8C_V8Ehr7cuYuaGm0VQ1C6gfXJUp1_7Vh4_zug@mail.gmail.com> References: <CAJkxAbyMEYZ4pYu=z4Sfwdqtzh=PjhHE4qrbSsyL34YE9TnXZQ@mail.gmail.com> <CAJkxAbyi7hx9Dugtw5-Md1y77JRzOu3bygS8ntfQg%2Bkw1KZ63w@mail.gmail.com> <CAN6yY1uRrfv0Bdeb%2Btosna8O8ajD_H1j7N=akL7PS8XC3X09qA@mail.gmail.com> <CAHu1Y72HG00_yv0wyk_7rRC1bb0SNa%2BcEOoXZTALV6bkBj207g@mail.gmail.com> <CAN6yY1s608M5coYP76OvBvOqd5HqZFyaiVb8PdviGFVN-Do1sg@mail.gmail.com> <CAJkxAbyG1%2Bkc8C_V8Ehr7cuYuaGm0VQ1C6gfXJUp1_7Vh4_zug@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Thank you for the "allow tcp from me to any established" rule, > I'll give it a try later. Ok, I've tested this - no oddity/"frozen" connection. As expected. This is an excerpt from the ruleset (ipfw show): 00101 4759 2588637 allow tcp from any to any established 00102 206 12360 allow tcp from me to any setup 00777 0 0 deny log logamount 16 ip from any to any > I didn't change anything. Quite possible dyn_fin_lifetime is too > small. I'll try to raise it. # sysctl net.inet.ip.fw.dyn_fin_lifetime=4 net.inet.ip.fw.dyn_fin_lifetime: 1 -> 4 # sysctl net.inet.ip.fw.dyn_rst_lifetime=4 net.inet.ip.fw.dyn_rst_lifetime: 1 -> 4 The situation is better, but I am still having troubles with "heavy" sites (images, JS an so on; for example - http://cnx.org/content/m16336/latest/ ). And still I can see odd packets from "deny log all from any to any" rule: 15:09:58.654613 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq 3948689318, ack 1903284725, ... 15:09:59.158612 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq 0, ack 1, ... 15:09:59.222114 IP 213.180.193.14.80 > w.x.y.z.11215: Flags [F.], seq 1, ack 0, ... 15:09:59.966611 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq 0, ack 1, ... 15:51:43.244361 IP 128.42.169.34.80 > w.x.y.z.13876: Flags [F.], seq 3534903525, ack 108808080, ... 15:51:49.418317 IP 128.42.169.34.80 > w.x.y.z.13876: Flags [F.], seq 0, ack 1, ... 15:58:47.664606 IP w.x.y.z.32748 > 195.91.160.36.80: Flags [F.], seq 3277652538, ack 2683877393, ... 15:58:49.106924 IP 195.91.160.36.80 > w.x.y.z.32748: Flags [F.], seq 1, ack 0, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJkxAbwYUtcyXGFEiXiZXLEzf9EPTTwdq1-y-ngT6OuKXk1o2A>