IPFW IPFW blocking packets after connection closed

I am getting a weird issue with IPFW blocking outbound packets after connections are closed. Here is rc.firewall:

Code:
ipfw -q -f flush
ipfw -q add 1 check-state
ipfw -q add 2 allow all from any to any via lo0
ipfw -q add 3 allow tcp from any to me 80 in setup keep-state
ipfw -q add 4 deny log all from any to any out

I then run a web server on port 80. When I connect, it works as expected. Rule #3 allows the inbound connection, and keep-state allows associated inbound and outbound traffic as expected.

However, I am seeing a weird thing after the connection is closed. According to the logs, the server calls close() on the socket, and then 350 seconds later IPFW reports denied packets due to rule #4. More specifically, it looks like something in the networking stack is trying to send outbound packets on that closed connection approximately 350 seconds after my server closes the socket, and IPFW is not associating those packets with the previously allowed connection.

Does anyone have any idea what the heck could be going? This is driving me nuts. Let me know if the explanation is unclear.
 
"Approximately 350 seconds" as in nearly 6 minutes later?

You have me thoroughly confused.

If it's consistent and reproducible, I would stick a sniffer on it and see what is happening.
 
Yes, it is easily reproducible and it is always 350 seconds. I will do some packet sniffing and report back.
 
Do you have HTTP keep-alive enabled? If so, try turning it off and see if you still see the spurious packets.
 
Back
Top