Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK
Dmitry S. Kasterin
dmk.sbor at gmail.com
Sat Apr 21 11:41:37 UTC 2012
>> # sysctl net.inet.ip.fw.dyn_fin_lifetime=4
>> net.inet.ip.fw.dyn_fin_lifetime: 1 -> 4
>> # sysctl net.inet.ip.fw.dyn_rst_lifetime=4
>> net.inet.ip.fw.dyn_rst_lifetime: 1 -> 4
> The thing that jumps out is that all of the blocked packets are of FIN
> packets. I am not sure why they are being denied as they have FIN+ACK
> and that should meet the requirements for 'established".
Sorry, it is not clear from my text that the second part of the
previous message concerns stateful/dynamic filtering. Stateless
filtering works perfectly for me.
For stateless (tcp) filtering I've used the following rules:
00101 allow tcp from any to any established
00102 allow tcp from me to any setup
And for stateful:
00101 allow tcp from me to any out setup keep-state
> Are you seeing a large number of TCP sessions in partially closed states?
Yes, with the default settings (dyn_fin_lifetime=1 and dyn_rst_lifetime=1).
With dyn_fin_lifetime=4 and dyn_rst_lifetime=4 this number is fewer.
> I don't recall if you mentioned it, but what version of FreeBSD are you
9.0-STABLE / custom kernel
> Also, if
> you choose to use stateful TCP filtering, it is probably best to do it
> in the manner shown in the ipfw(8) man page under DYNAMIC RULES. This
> is very different from the way you did it.
The "DYNAMIC RULES" section gives the following recommendation:
ipfw add check-state
ipfw add deny tcp from any to any established
ipfw add allow tcp from my-net to any setup keep-state
Is the second rule necessary?
More information about the freebsd-net