IPFW V2 dynamic keepalives broken
Gregory Neil Shapiro
gshapiro at freebsd.org
Wed May 28 08:55:37 PDT 2003
> i imagine the following happens:
> + the client does not properly close the connection;
I tend to agree.
> + when a keepalive is sent (every 5 minutes),
But wouldn't a dyn_fin_lifetime of 1 mean it wouldn't reach 5 minutes?
> the the server's TCP responds (thus refreshing the rule), and the
Interestingly enough, the client can't respond. An upstream Nokia
Checkpoint FW-1 firewall is rejecting the packets from the client to
the server with "Unknown established connection". You are correct
though, the server may be responding.
> TCP timeout is reset so it stays in the FIN_WAIT[2] state for
> another cycle, whereas the client does not bother to send back a
> RST (which would cause the timeout for the dynamic rule go down to
> very low values).
> Maybe i should change the logic in the dynamic rules so that further
> keepalives are not sent unless a reply has been received from both
> sides.
That does sound like a good solution.
> > # sysctl net.inet.ip.fw.dyn_keepalive=0
> > net.inet.ip.fw.dyn_keepalive: 1 -> 0
> > (wait a few seconds)
>
> how "few" seconds ? I suppose in the order of 300 or so, enough
> to let the local session expire ?
Yes, sorry, that should have been "few minutes", not "few seconds".
By the way, since sending the mail yesterday, 149 have collected in
FIN_WAIT_2 on the server. I repeated the process and timed it.
It started dropping them after about 6 minutes.
More information about the freebsd-ipfw
mailing list