There must be a bug in cp



  • i`ve noticed that once that the client is diconected by the cp if he has opened programs like p2p and online games they are not realy disconected.Those programs are able to work and they are receiving and sending data without been afected by the disconect of the cp.Only web browsing is not working when this happend. Does anyone noticed that??



  • This is not a bug.
    This is how the packetfilter works.

    Take a look at the man-pages of "pf" (the firewall pfSense uses) if you want to know more.



  • ok i will take a look. thx for advice



  • What version is this? There was a locking issue causing a race condition in high load environments where CP rules wouldn't always get removed properly. But that was only likely to occur when you have hundreds of simultaneous CP users.

    It sounds like possibly the state table is biting you, but I didn't think CP kept state like that. I opened a ticket to look into it when time permits, with a link to this thread. I'll post back here after I have a chance to look into it.



  • something is strange because the connection are still alive after the client has disconected. Im not having hundreds of cp users in the same time and the option with concurent login is enabled. Ive noticed that if i reset the states it realy diconected



  • It sounds like CP is only denying NEW connections, but is not closing existing connections when logging out?

    Aaron



  • Unless something has changed, the CP uses ipfw and not pf so the pf state issue isn't applicable here.  I don't see this issue with my CP installs, when the connection gets killed all of their existing state is removed.  Could you do a test with SSH?  Open a connection and then kill the state. 
    I've seen p2p apps keep reporting data when there isn't really any traffic until they time out.

    nb



  • The problem in this cases is:
    If one of the WAN rules let the traffic to come then even if the client is disconected by the cp it will continue to get data packets untill it will finish the request.



  • Hmmm, is this a NAT or routed setup?  All of mine are currently routed and I don't see this behavior.  Once the timer is expired their connectivity is killed.


Log in to reply