[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FIN_WAIT_2:FIN_WAIT_2



Hi,
playing with pftop and src-track I discovered that every connection from my 
home network to my OpenBSD 3.5-stable server on the internet doesn't get 
closed. PF always shows the FIN_WAIT_2:FIN_WAIT_2 status.
This means that if I use telnet to any open port and then I close the 
connection PF will keep the connection in FIN_WAIT_2 status until the time 
limit expires. This is a behaviour that you don't note without the src-track 
option because the server will keep accepting new connections...
I tried multiple software (telnet, mail clients and various browsers) from 
both FreeBSD and OpenBSD workstations. My home firewall is running OpenBSD 
3.6 with a 2 lines ruleset:
pass out on quick all keep state
block in quick all
The strange thing is that other connections to the server from other hosts on 
the internet doesn't get closed too! PF will always put them in one of these 
two status: TIME_WAIT:TIME_WAIT or FIN_WAIT_2:FIN_WAIT_2.
I have the little suspect that the FIN_WAIT_2:FIN_WAIT_2 happens if both of 
the peers (my server and the host) are protected by PF. While 
TIME_WAIT:TIME_WAIT happens when the host isn't protected by PF.
This is my PF ruleset on the server:
table <Spoof> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 
0.0.0.0/8 }
pass out quick on lo0 all keep state
pass in quick on lo0 all keep state
block in quick on fxp0 inet proto tcp from <Spoof>
block out quick on fxp0 inet from any to <Spoof>
block in quick on fxp0 inet6 all
pass out quick on fxp0 inet from (fxp0) to any keep state
pass in quick on fxp0 inet proto tcp from any to (fxp0) port 25 flags S/SAFR 
keep state (source-track rule, max-src-nodes 20, max-src-states 2)
pass in quick on fxp0 inet proto tcp from any to (fxp0) port 80 flags S/SAFR 
keep state (source-track rule, max-src-nodes 50, max-src-states 10)
max-src-states 2)
block in quick all
..................................................................................
Any clue ?
	Ed