On 2007-Mar-03 15:57:18 -0800, Darren Reed <[EMAIL PROTECTED]> wrote: >If you read RFC 793, the transition from "CLOSE WAIT" to "CLOSED" is 2 * >MSL. MSL = 2 minutes. > >So the "4 minute" timeout you're seeing is correct...
My mistake. I got confused between the MSL and 2*MSL. I've raised the issue of port re-use on the relevant FreeBSD mailing list. >I will look into what should happen if a SYN packet for a new >connection arrives within that 2*MSL...quite probably TCP will create >a new connection, so IPFilter needs to do something intelligent >here... I'm not sure what the correct behaviour should be. There is an IETF draft (tcpsecure) which may partially address this (though from the opposite perspective). I've found a BSDCAN06 presentation by Mike Silbersack which suggests that different stacks behave differently. >Some things to toss up: >- expunge the existing session when the new SYN packet is created and > create a new session (this could be difficult) >- use the first SYN packet to advance the state to closed, drop the > packet and the state entry and wait for the next SYN packet to > create a new connection Of course, this should only occur if the existing state is in CLOSE WAIT. The former approach has the advantage of not losing the SYN packet but the latter would probably be reasonable. -- Peter Jeremy
pgpsaT3atZ8ox.pgp
Description: PGP signature
