Re: Sockets stuck in FIN_WAIT_1

From: Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 30 May 2008 09:43:28 -0700 (PDT)

:Yes, IPFW is running on the box. Why not?
:
:--
:Robert Blayzor, BOFH
:INOC, LLC
:rblayzor@xxxxxxxx
:http://www.inoc.net/~rblayzor/

There's nothing wrong with running IPFW on the same box :-)

But, I think that rule change is masking the problem rather then solving
it. The keep-state is limited. The reason the number of dead connections
isn't going up is probably because IPFW is either hitting its keep-state
limit and dropping connections, or the connection becomes idle long
enough for IPFW to recycle the keep-state for it, also causing it to
drop.

Once the keep-state is lost that deny established rule will cause the
connection to fail.

I would be very careful with any type of ruleset (IPFW or PF) which
relies on keep-state. You can wind up causing legitimate connections
to drop if it isn't carefully tuned.

It might be a reasonable bandaid, though.

-Matt
Matthew Dillon
<dillon@xxxxxxxxxxxxx>
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: Sockets stuck in FIN_WAIT_1
  - From: Robert Blayzor

References:
- Sockets stuck in FIN_WAIT_1
  - From: Robert Blayzor
- Re: Sockets stuck in FIN_WAIT_1
  - From: Chuck Swiger
- Re: Sockets stuck in FIN_WAIT_1
  - From: Robert Blayzor
- Re: Sockets stuck in FIN_WAIT_1
  - From: Doug Barton
- Re: Sockets stuck in FIN_WAIT_1
  - From: Robert Blayzor
- Re: Sockets stuck in FIN_WAIT_1
  - From: Doug Barton
- Re: Sockets stuck in FIN_WAIT_1
  - From: Mark Kirkwood
- Re: Sockets stuck in FIN_WAIT_1
  - From: Doug Barton
- Re: Sockets stuck in FIN_WAIT_1
  - From: Stephen Clark
- Re: Sockets stuck in FIN_WAIT_1
  - From: Robert Blayzor
- Re: Sockets stuck in FIN_WAIT_1
  - From: Doug Barton
- Re: Sockets stuck in FIN_WAIT_1
  - From: Matthew Dillon
- Re: Sockets stuck in FIN_WAIT_1
  - From: Robert Blayzor
- Re: Sockets stuck in FIN_WAIT_1
  - From: Matthew Dillon
- Re: Sockets stuck in FIN_WAIT_1
  - From: Robert Blayzor
- Re: Sockets stuck in FIN_WAIT_1
  - From: Matthew Dillon
- Re: Sockets stuck in FIN_WAIT_1
  - From: Robert Blayzor
- Re: Sockets stuck in FIN_WAIT_1
  - From: Matthew Dillon
- Re: Sockets stuck in FIN_WAIT_1
  - From: Robert Blayzor
- Re: Sockets stuck in FIN_WAIT_1
  - From: Doug Barton
- Re: Sockets stuck in FIN_WAIT_1
  - From: Robert Blayzor

Prev by Date: Re: Sockets stuck in FIN_WAIT_1
Next by Date: Re: Sockets stuck in FIN_WAIT_1
Previous by thread: Re: Sockets stuck in FIN_WAIT_1
Next by thread: Re: Sockets stuck in FIN_WAIT_1
Index(es):
- Date
- Thread

Relevant Pages

Re: continued IPFW issues... (actually a lack of ability on my part)
... >> I'm still having some sort of issues with ipfw rules on my server. ... > 'keep-state' to keep track of the connections made to you. ...
(freebsd-questions)
ipfw, keep-state and limit
... I think I need to start filtering based on simultaneous connections from ... so, as I'm already using ipfw, I tried this: ... only one of keep-state andlimit is allowed ...
(freebsd-net)
Re: Sockets stuck in FIN_WAIT_1
... packet to clear the connections. ... are you running ipfw ON the web server box? ...
(freebsd-stable)
Re: ipfw, keep-state and limit
... so, as I'm already using ipfw, I tried this: ... only one of keep-state andlimit is allowed ... dynamic keep-state rules for individual clients, ... connections from the same address. ...
(freebsd-net)
Unexpected keep state behaviour in ipfw
... ipfw keep-state behaviour. ... the connection disappears. ... I've used keep-state in the past and I'm ... 11005 allow udp from me to any dst-port 53 out xmit ed1 keep-state ...
(FreeBSD-Security)