Sockets stuck in FIN_WAIT_1 not detected by pf

Linda Messerschmidt linda.messerschmidt at gmail.com
Sat Mar 27 09:31:36 UTC 2010 

Hi all,

I have a 7.2-STABLE machine with the old "hostile client causes Apache
sockets to persist forever in FIN_WAIT_1" problem.

These connections hang forever as long as the client continues to send
packets advertising a 0 window size; I believe this problem is pretty
well-understood.  (And essentially impossible to fix.)

What I wanted to do was work around it using the pf tcp.closing
timeout to get rid of them.  However, pf isn't detecting the move to
FIN_WAIT_1:

> netstat -an | fgrep 6.7.8.9 | fgrep .24
tcp4       0 1049615 2.3.4.5.443      6.7.8.9.24113  FIN_WAIT_1
tcp4       0 1049618 2.3.4.5.443      6.7.8.9.24107  FIN_WAIT_1
tcp4       0 1048731 2.3.4.5.443      6.7.8.9.24104  FIN_WAIT_1
tcp4       0 1047829 2.3.4.5.443      6.7.8.9.24102  FIN_WAIT_1
tcp4       0 1049618 2.3.4.5.443      6.7.8.9.24098  FIN_WAIT_1
tcp4       0 1049618 2.3.4.5.443      6.7.8.9.24096  FIN_WAIT_1
tcp4       0 1049620 2.3.4.5.443      6.7.8.9.24094  FIN_WAIT_1
tcp4       0 1048012 2.3.4.5.443      6.7.8.9.24039  FIN_WAIT_1
tcp4       0 1049620 2.3.4.5.443      6.7.8.9.24035  FIN_WAIT_1
tcp4       0 1049187 2.3.4.5.443      6.7.8.9.24018  FIN_WAIT_1
tcp4       0 1049616 2.3.4.5.443      6.7.8.9.24013  FIN_WAIT_1
tcp4       0 1049619 2.3.4.5.443      6.7.8.9.24011  FIN_WAIT_1
> sudo pfctl -s state | fgrep 6.7.8.9 | fgrep :24
all tcp 2.3.4.5:443 <- 6.7.8.9:24011       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24013       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24018       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24035       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24039       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24094       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24096       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24098       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24102       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24104       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24107       ESTABLISHED:ESTABLISHED
all tcp 2.3.4.5:443 <- 6.7.8.9:24113       ESTABLISHED:ESTABLISHED
>

Is this a bug in pf, or have I configured it improperly somehow?  The
rule that creates the state entries is just:

pass in on $ext_if inet proto tcp from any to <web_ips> port { 80, 443 }

which pf seems to parse into:

pass in on em0 inet proto tcp from any to <web_ips> port = https flags
S/SA keep state

That looks fine to me, so I have no idea what's happening here.

Thanks for any insight!

More information about the freebsd-pf mailing list