Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK
smithi at nimnet.asn.au
Sat Apr 21 15:32:13 UTC 2012
On Sat, 21 Apr 2012 15:41:30 +0400, Dmitry S. Kasterin wrote:
> 9.0-STABLE / custom kernel
> > Also, if
> > you choose to use stateful TCP filtering, it is probably best to do it
> > in the manner shown in the ipfw(8) man page under DYNAMIC RULES. This
> > is very different from the way you did it.
> The "DYNAMIC RULES" section gives the following recommendation:
> ipfw add check-state
> ipfw add deny tcp from any to any established
> ipfw add allow tcp from my-net to any setup keep-state
> Is the second rule necessary?
Probably not where default policy is deny, but maybe instructive there.
When using stateful TCP rules, you 'should' never see any established
packets that aren't part of a dynamic session; those that are will be
taken care of by the check-state, assuming they don't arrive beyond
timeouts - and counted, both ways, at the setup keep-state rule.
You'll likely see quite a few supposedly 'established' packets from bots
scanning the planet in general, usually but not only from somewhere:80.
Add log to that deny if curious about such background radiation, and set
sysctl net.inet.tcp.log_in_vain=1 if obsessively curious :)
Like Kevin, I use dynamic rules only for some outbound UDP, but here on
low-bandwidth systems where performance is scarcely an issue, nor DoS.
For a good example using both stateless and stateful rules you may find
the /etc/rc.firewall 'workstation' ruleset useful.
More information about the freebsd-net