On May 30, 2008, at 12:43 PM, Matthew Dillon wrote:
I would be very careful with any type of ruleset (IPFW or PF) which
relies on keep-state. You can wind up causing legitimate
connections
to drop if it isn't carefully tuned.
Thanks again Matt...
I do agree on the firewall and keep-state and scaling issue. It
wasn't the magic bullet I thought it may have been. The stuck
connections just dropped off due to the load dropping at night. The
bandaid I have is the tcpdrop hack that was posted here. That seems
to clear all the stuck sessions. While it's probably not the best
thing to do, it protects the server at least. I don't know what more
to do at this point. While these may be broken client issues, it's
breaking the server. I don't know if it makes sense to push something
upstream to see if some type of knob can be implemented into the
network stack to force close/drop these or to just let it go and deal
with it as-is. I have a message into the clamav-devel list to see if
this is a problem on the freshclam client and the way it handles
closing connections/broken connections. It's quite possible it's
something broken in freshclam where it's failing to deal with a
network failure properly....
--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
http://www.inoc.net/~rblayzor/
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
