Date: Sun, 15 Apr 2007 22:18:36 +0200 From: Ivan Voras <ivoras@fer.hr> To: freebsd-net@freebsd.org Subject: Understanding ipfw keep-state dynamic rules Message-ID: <evu1b2$c29$1@sea.gmane.org>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1C064251C9A3C21402BA7932 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On a rule: 06080 40997628 30756672556 allow tcp from any to me dst-port 80 setup keep-state ipfw -d show lists: ## Dynamic rules (774): 06080 948 38731 (108s) STATE tcp xx.172.115.202 1421 <-> my.ip.add.r 80 06080 985 42716 (83s) STATE tcp xx.67.223.104 1071 <-> my.ip.add.r 80 06080 863 35613 (283s) STATE tcp xx.10.57.15 2889 <-> my.ip.add.r 80 06080 985 42714 (83s) STATE tcp xx.67.223.104 1070 <-> my.ip.add.r 80 06080 328 14124 (53s) STATE tcp xx.139.119.108 1578 <-> my.ip.add.r 80 06080 25 3115 (218s) STATE tcp xx.131.91.227 1446 <-> my.ip.add.r 80 06080 143 111341 (68s) STATE tcp xx.53.69.19 2134 <-> my.ip.add.r 80 06080 768 57243 (58s) STATE tcp xx.0.135.14 1099 <-> my.ip.add.r 80 06080 669 27762 (283s) STATE tcp xx.139.74.217 2205 <-> my.ip.add.r 80 06080 1252 52827 (278s) STATE tcp xx.1.101.189 3833 <-> my.ip.add.r 80 06080 55 3234 (93s) STATE tcp xx.131.56.161 38373 <-> my.ip.add.r 80 06080 983 41973 (83s) STATE tcp xx.67.223.104 1068 <-> my.ip.add.r 80 06080 986 42606 (88s) STATE tcp xx.67.223.104 1067 <-> my.ip.add.r 80 06080 760 48062 (58s) STATE tcp xx.0.135.14 1101 <-> my.ip.add.r 80 06080 173 26123 (123s) STATE tcp xx.164.1.92 52510 <-> my.ip.add.r 80 06080 1437 142107 (98s) STATE tcp xx.193.203.99 50721 <-> my.ip.add.r 80 06080 985 42710 (83s) STATE tcp xx.67.223.104 1066 <-> my.ip.add.r 80 06080 5 1404 (296s) STATE tcp xx.172.46.212 2965 <-> my.ip.add.r 80 06080 960 39466 (108s) STATE tcp xx.53.72.69 1541 <-> my.ip.add.r 80 06080 986 42748 (88s) STATE tcp xx.67.223.104 1064 <-> my.ip.add.r 80 06080 671 28021 (238s) STATE tcp xx.139.74.217 2198 <-> my.ip.add.r 80 06080 666 27308 (118s) STATE tcp xx.163.196.124 62771 <-> my.ip.add.r 80 06080 102 45319 (98s) STATE tcp xx.131.91.227 1196 <-> my.ip.add.r 80 06080 1019 43213 (88s) STATE tcp xx.53.254.147 3804 <-> my.ip.add.r 80 06080 20 13796 (300s) STATE tcp xx.172.39.86 2072 <-> my.ip.add.r 80 06080 66 14493 (98s) STATE tcp xx.131.91.227 1197 <-> my.ip.add.r 80 06080 1140 173804 (78s) STATE tcp xx.81.188.12 64322 <-> my.ip.add.r 80 This is on a busy, but fast and fat-piped web server. Do the numbers in parentheses mean seconds the rule is active? The numbers seem very high, much higher that they should be (keepalive is active but the timeout is kept under 5 seconds, and the pages & files are mostly small). --------------enig1C064251C9A3C21402BA7932 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGIoicldnAQVacBcgRAo5xAJ4mD3tTJELyFMGeTTrul5/4OgihrgCgvTFJ ROVES/lr1Uf8t41sXXVNiZY= =qd/d -----END PGP SIGNATURE----- --------------enig1C064251C9A3C21402BA7932--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?evu1b2$c29$1>