• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

IPFW IPFW blocking packets after connection closed

drohaw

New Member


Messages: 4

#1
I am getting a weird issue with IPFW blocking outbound packets after connections are closed. Here is rc.firewall:

Code:
ipfw -q -f flush
ipfw -q add 1 check-state
ipfw -q add 2 allow all from any to any via lo0
ipfw -q add 3 allow tcp from any to me 80 in setup keep-state
ipfw -q add 4 deny log all from any to any out
I then run a web server on port 80. When I connect, it works as expected. Rule #3 allows the inbound connection, and keep-state allows associated inbound and outbound traffic as expected.

However, I am seeing a weird thing after the connection is closed. According to the logs, the server calls close() on the socket, and then 350 seconds later IPFW reports denied packets due to rule #4. More specifically, it looks like something in the networking stack is trying to send outbound packets on that closed connection approximately 350 seconds after my server closes the socket, and IPFW is not associating those packets with the previously allowed connection.

Does anyone have any idea what the heck could be going? This is driving me nuts. Let me know if the explanation is unclear.
 

ekingston

Active Member

Thanks: 39
Messages: 144

#2
"Approximately 350 seconds" as in nearly 6 minutes later?

You have me thoroughly confused.

If it's consistent and reproducible, I would stick a sniffer on it and see what is happening.
 

drohaw

New Member


Messages: 4

#3
Yes, it is easily reproducible and it is always 350 seconds. I will do some packet sniffing and report back.
 

Jeckt

Member

Thanks: 14
Messages: 62

#4
Do you have HTTP keep-alive enabled? If so, try turning it off and see if you still see the spurious packets.