FIN_WAIT_2

Mon Mar 21 09:03:18 PST 2005

I have set up a webserver behind a bridged firewall, something like:

INTERNET --------- FIREWALL --------- WEBSERVER

The webserver is running FreeBSD, and currently I get many FIN_WAIT_2 
states:
# netstat -n -p tcp | grep FIN_WAIT_2 | wc -l 

48 

I wonder WHAT is responsible for sending every 5 minutes ACK messages to 
the clients in FIN_WAIT_2 state?
tcp.inet.tcp.always_keepalive seems to be something else

# netstat -n -p tcp | grep FIN_WAIT_2 | grep HTTP_CLIENT 

tcp4       0      0  134.96.240.1.80        HTTP_CLIENT.10228 
FIN_WAIT_2 

                            # tcpdump -S -i vr0 dst host HTTP_CLIENT 

16:04:12.987415 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 0 

16:04:12.987678 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 32900 

16:08:57.944008 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 0 

16:08:57.944300 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 32900 

. 

. 

. 

17:39:12.124577 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 0 

17:39:12.124862 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 32900 

17:43:57.081176 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 0 

17:43:57.081434 IP HTTP_SERVER.http > HTTP_CLIENT.10228: . ack 
1760359226 win 32900

The bridged firewall seems to block exactly those ACK's.
The setup is a simple stateful firewall, something like:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -d HTTP_SERVER --dport 80 -j ACCEPT

Is blocking the ACK messages above somehow harmful?

Greetings,
Robert