Date: Sat, 21 Apr 2012 15:41:30 +0400 From: "Dmitry S. Kasterin" <dmk.sbor@gmail.com> To: Kevin Oberman <kob6558@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states Message-ID: <CAJkxAbxwc1Xq7S9Hvkwg-ZtTW5GpOWv9ceHYRCa_WBJipS54%2BQ@mail.gmail.com> In-Reply-To: <CAN6yY1tHvKhk4PLTmS6Yv9PvNoKdBV_fhR5UhKM2_ua8zh-d0Q@mail.gmail.com> References: <CAJkxAbyMEYZ4pYu=z4Sfwdqtzh=PjhHE4qrbSsyL34YE9TnXZQ@mail.gmail.com> <CAJkxAbyi7hx9Dugtw5-Md1y77JRzOu3bygS8ntfQg%2Bkw1KZ63w@mail.gmail.com> <CAN6yY1uRrfv0Bdeb%2Btosna8O8ajD_H1j7N=akL7PS8XC3X09qA@mail.gmail.com> <CAHu1Y72HG00_yv0wyk_7rRC1bb0SNa%2BcEOoXZTALV6bkBj207g@mail.gmail.com> <CAN6yY1s608M5coYP76OvBvOqd5HqZFyaiVb8PdviGFVN-Do1sg@mail.gmail.com> <CAJkxAbyG1%2Bkc8C_V8Ehr7cuYuaGm0VQ1C6gfXJUp1_7Vh4_zug@mail.gmail.com> <CAJkxAbwYUtcyXGFEiXiZXLEzf9EPTTwdq1-y-ngT6OuKXk1o2A@mail.gmail.com> <CAN6yY1tHvKhk4PLTmS6Yv9PvNoKdBV_fhR5UhKM2_ua8zh-d0Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> # sysctl net.inet.ip.fw.dyn_fin_lifetime=4 >> net.inet.ip.fw.dyn_fin_lifetime: 1 -> 4 >> # sysctl net.inet.ip.fw.dyn_rst_lifetime=4 >> net.inet.ip.fw.dyn_rst_lifetime: 1 -> 4 > The thing that jumps out is that all of the blocked packets are of FIN > packets. I am not sure why they are being denied as they have FIN+ACK > and that should meet the requirements for 'established". Sorry, it is not clear from my text that the second part of the previous message concerns stateful/dynamic filtering. Stateless filtering works perfectly for me. For stateless (tcp) filtering I've used the following rules: 00101 allow tcp from any to any established 00102 allow tcp from me to any setup And for stateful: 00010 check-state 00101 allow tcp from me to any out setup keep-state > Are you seeing a large number of TCP sessions in partially closed states? Yes, with the default settings (dyn_fin_lifetime=1 and dyn_rst_lifetime=1). With dyn_fin_lifetime=4 and dyn_rst_lifetime=4 this number is fewer. > I don't recall if you mentioned it, but what version of FreeBSD are you > running? 9.0-STABLE / custom kernel > Also, if > you choose to use stateful TCP filtering, it is probably best to do it > in the manner shown in the ipfw(8) man page under DYNAMIC RULES. This > is very different from the way you did it. The "DYNAMIC RULES" section gives the following recommendation: ipfw add check-state ipfw add deny tcp from any to any established ipfw add allow tcp from my-net to any setup keep-state Is the second rule necessary?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJkxAbxwc1Xq7S9Hvkwg-ZtTW5GpOWv9ceHYRCa_WBJipS54%2BQ>