Luigi Rizzo wrote:
On Mon, Apr 16, 2007 at 12:07:35AM +0200, Ivan Voras wrote:Luigi Rizzo wrote:yes the numbers should be the expire time for the rule.So, the total time the connection was active or the time the connection had some traffic through it?it is the expire time (i.e. how many seconds from now the rule will be deleted). It should normally be the preset timeout (300 as a default for active sessions) minus the time for which the connection has been idle.
So is there a way to find out from this listing which connections have been stalled too long? "Short" expire times may mean closed connections or may mean a rule that's been active for a long time and is now almost expired.
in terms of tcp, on the server you would need to send a FIN (to signal "no more data from me") followed by a RST (to signal "i am not listening anymore"). Maybe a shutdown(s, SHUT_RDWR) can do the job, probably just close() is not enough. But i am not 100% sure.
I can't modify the server. I was hoping ipfw would send a RST to both sides if a rule expires.
signature.asc
Description: OpenPGP digital signature
