IPFW V2 dynamic keepalives broken

Luigi Rizzo rizzo at icir.org
Wed May 28 12:11:48 PDT 2003 

On Wed, May 28, 2003 at 08:55:35AM -0700, Gregory Neil Shapiro wrote:
> > i imagine the following happens:
> >  + the client does not properly close the connection;
> 
> I tend to agree.
> 
> >  + when a keepalive is sent (every 5 minutes),

To be precise -- a keepalive is sent in the last 30sec or so of
the lifetime of a dynamic rule. If the timeput is bumped below
this value (as it happens when both FIN or a RST comes in) then
keepalives are disabled. But if only one FIN is received,
and no RST arrive back, keepalives continue to flow.

> But wouldn't a dyn_fin_lifetime of 1 mean it wouldn't reach 5 minutes?

only if both FIN come in -- that is when the dyn_fin_lifetime takes
effect.

	cheers
	luigi

> >    the the server's TCP responds (thus refreshing the rule), and the
> 
> Interestingly enough, the client can't respond.  An upstream Nokia
> Checkpoint FW-1 firewall is rejecting the packets from the client to
> the server with "Unknown established connection".  You are correct
> though, the server may be responding.  
> 
> >    TCP timeout is reset so it stays in the FIN_WAIT[2] state for
> >    another cycle, whereas the client does not bother to send back a
> >    RST (which would cause the timeout for the dynamic rule go down to
> >    very low values).
> 
> > Maybe i should change the logic in the dynamic rules so that further
> > keepalives are not sent unless a reply has been received from both
> > sides.
> 
> That does sound like a good solution.
> 
> > > # sysctl net.inet.ip.fw.dyn_keepalive=0
> > > net.inet.ip.fw.dyn_keepalive: 1 -> 0
> > > (wait a few seconds)
> > 
> > how "few" seconds ? I suppose in the order of 300 or so, enough
> > to let the local session expire ?
> 
> Yes, sorry, that should have been "few minutes", not "few seconds".
> 
> By the way, since sending the mail yesterday, 149 have collected in
> FIN_WAIT_2 on the server.  I repeated the process and timed it.
> It started dropping them after about 6 minutes.
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"

More information about the freebsd-ipfw mailing list