Hello again! The answers that I recieved for my previous emails have been
great so far.
I'm using synproxy to limit the number simultaneous TCP
connection to a certain application [that sucks and whose port number is
divisible by 8 and 10]. My rule is working fine, but I do have some
questions about the current behavior and desired behavior. The rule is
below:
pass in on $ext_if proto tcp from any to any port = http flags S/SA \
synproxy state (source-track rule, max-src-conn 36, if-bound)
Now I did some experiments using wget and I had a close look at the
pf state table ("pfctl -s state"). I just wanted to go over my findings
really quickly, just as background.
During the time when a large download is happening using wget, the
pf state table will have "ESTABLISHED:ESTABLISHED". If wget was in the
process of performing a large download and I hit Ctrl+C (or kill it),
the state table will have "TIME_WAIT:TIME_WAIT". If wget successfully
finishes downloading something, I will see "FIN_WAIT_2:FIN_WAIT_2" in
the state table.
Now, the synproxy rule above apparently limits the number of "connections"
from a single IP address to 36, where each "connection" is a state in
the pf state table, even if the state is in "FIN_WAIT_2:FIN_WAIT_2".
Well it just so happens that the "FIN_WAIT_2:FIN_WAIT_2" state lingers for
about a minute (I believe that "set optimization aggressive" makes this
state go away more quickly which is what I have done). What I _really_
would like to do is limit the number of established and maybe broken
connections per IP address, and I probably _don't_ want to count
the "FIN_WAIT_2:FIN_WAIT_2" connections towards my max of 36. In fact
I would reduce the "36" number to a lower bound such as 4 or so if
I could be more selective in which states I count towards max-src-conn.
Do you guys have any thoughts about this? Based on my feeling that
the OpenBSD community tends to always do things "the right way", I'm
thinking that there is a reason why things are the way they are, but I
would like to know those reasons if possible. I look forward to hearing
your reply! If there is a way to not count the "FIN_WAIT_2:FIN_WAIT_2"
towards my max-src-conn, please do tell!
