src-limit trouble
Mihail Balikov
misho at interbgc.com
Sat May 3 23:28:26 PDT 2003
this happens when you have more than one rule with "limit" .
I have small patch for 4.7
regards,
Mihail Balikov
----- Original Message -----
From: <maxes at peterlink.ru>
To: <freebsd-ipfw at freebsd.org>
Sent: Friday, May 02, 2003 8:44 PM
Subject: src-limit trouble
>
> I use ipfw2 with dynamic rule like this:
> ipdw add 50 count tcp from any to me dst-port 8000-8005,80 setup limit
src-addr 20
>
> 1)
> In my case, command "ipfw -d sh" can show some "LIMIT" rule without
> corresponding "PARENT" rule, for example:
> ipfw -d sh | grep remote.ip
> 00050 9 861 (62s) LIMIT tcp remote.ip 19098 <-> me.ip 80
>
> It's full output, I repeat - no corresponding PARENT rule.
>
> 2)
> If net.inet.ip.fw.dyn_keepalive=1, then
> on host accumulated FIN_WAIT_2 connections.
> For example:
> netstat -an | grep WAIT_2 | wc -l
> 2178
>
> This FIN_WAIT_2 connection live very long period - 1-1.5 month.
> But if set "sysctl -w net.inet.ip.fw.dyn_keepalive=0 "
> then after (as minimum 5 min = dyn_ack_lifetime ) number of FIN_WAIT_2
> connections decrease to "normal" - 20-40. I set MSL to 7500.
>
> Question is:
> Why live single LIMIT rule whithout PARENT ?
> Why this connection not closed ?
> In FreeBSD FIN_WAIT_2 has timer - after 2*MSL (30 sec in
> my case) this connection would be closed, isn't ? But with keep-alive
> this connection's show in netstat, show in ipfw rules.
>
> b.r.
> Kozin Maxim
>
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
More information about the freebsd-ipfw
mailing list