IPFW V2 dynamic keepalives broken
Luigi Rizzo
rizzo at icir.org
Wed May 28 12:11:48 PDT 2003
On Wed, May 28, 2003 at 08:55:35AM -0700, Gregory Neil Shapiro wrote:
> > i imagine the following happens:
> > + the client does not properly close the connection;
>
> I tend to agree.
>
> > + when a keepalive is sent (every 5 minutes),
To be precise -- a keepalive is sent in the last 30sec or so of
the lifetime of a dynamic rule. If the timeput is bumped below
this value (as it happens when both FIN or a RST comes in) then
keepalives are disabled. But if only one FIN is received,
and no RST arrive back, keepalives continue to flow.
> But wouldn't a dyn_fin_lifetime of 1 mean it wouldn't reach 5 minutes?
only if both FIN come in -- that is when the dyn_fin_lifetime takes
effect.
cheers
luigi
> > the the server's TCP responds (thus refreshing the rule), and the
>
> Interestingly enough, the client can't respond. An upstream Nokia
> Checkpoint FW-1 firewall is rejecting the packets from the client to
> the server with "Unknown established connection". You are correct
> though, the server may be responding.
>
> > TCP timeout is reset so it stays in the FIN_WAIT[2] state for
> > another cycle, whereas the client does not bother to send back a
> > RST (which would cause the timeout for the dynamic rule go down to
> > very low values).
>
> > Maybe i should change the logic in the dynamic rules so that further
> > keepalives are not sent unless a reply has been received from both
> > sides.
>
> That does sound like a good solution.
>
> > > # sysctl net.inet.ip.fw.dyn_keepalive=0
> > > net.inet.ip.fw.dyn_keepalive: 1 -> 0
> > > (wait a few seconds)
> >
> > how "few" seconds ? I suppose in the order of 300 or so, enough
> > to let the local session expire ?
>
> Yes, sorry, that should have been "few minutes", not "few seconds".
>
> By the way, since sending the mail yesterday, 149 have collected in
> FIN_WAIT_2 on the server. I repeated the process and timed it.
> It started dropping them after about 6 minutes.
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
More information about the freebsd-ipfw
mailing list