Understanding ipfw keep-state dynamic rules
Ivan Voras
ivoras at fer.hr
Tue Apr 17 05:05:31 UTC 2007
Luigi Rizzo wrote:
> On Mon, Apr 16, 2007 at 12:07:35AM +0200, Ivan Voras wrote:
>> Luigi Rizzo wrote:
>>
>>> yes the numbers should be the expire time for the rule.
>> So, the total time the connection was active or the time the connection
>> had some traffic through it?
>
> it is the expire time (i.e. how many seconds from now the rule
> will be deleted). It should normally be the preset timeout
> (300 as a default for active sessions) minus the time for which
> the connection has been idle.
So is there a way to find out from this listing which connections have
been stalled too long? "Short" expire times may mean closed connections
or may mean a rule that's been active for a long time and is now almost
expired.
> in terms of tcp, on the server you would need to send a FIN
> (to signal "no more data from me") followed by a RST (to signal
> "i am not listening anymore"). Maybe a shutdown(s, SHUT_RDWR)
> can do the job, probably just close() is not enough.
> But i am not 100% sure.
I can't modify the server. I was hoping ipfw would send a RST to both
sides if a rule expires.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20070417/b7402434/signature.pgp
More information about the freebsd-net
mailing list