From owner-freebsd-questions@FreeBSD.ORG  Wed Jun  6 18:40:58 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A9407106566B
	for <freebsd-questions@freebsd.org>;
	Wed,  6 Jun 2012 18:40:58 +0000 (UTC)
	(envelope-from kudzu@tenebras.com)
Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com
	[209.85.160.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 7C3F78FC16
	for <freebsd-questions@freebsd.org>;
	Wed,  6 Jun 2012 18:40:58 +0000 (UTC)
Received: by pbbro2 with SMTP id ro2so9968097pbb.13
	for <freebsd-questions@freebsd.org>;
	Wed, 06 Jun 2012 11:40:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:x-gm-message-state;
	bh=h8PrvpOQ45rjU6d0fziZdZf+SNupU3k1Z2E3sHxxs+M=;
	b=oTi14etPhRT2rIwod0CxVZB6NqJawi+cWRUoRv6nQl58CfO/4pSBKQJdM5xUOMsepk
	p3gIk+BRzcjuPiKojzvXhRUEok//VnqeIFkgxRCWkxL53XLewQAmWaowWNPSdi2mgQh9
	IqaydwG+Eh9UiaLY8yfJl9+uipXjKScNmVa5VpMIR9HXL6xJ/6WjkTFcGOJ04R9d/1kE
	eAemw5m465syfyFZePZGJEHEYj7Q6GHjMnnx5KJONfNYRuW13c8tvJLDb35GpnmAGCMS
	3be83iPZ7KFLy06dVVe2cegMeViERX8my09bmYKx4407Sznn69NXaKZahiHkhX/hR19y
	lN5g==
MIME-Version: 1.0
Received: by 10.68.228.2 with SMTP id se2mr60928232pbc.109.1339008057930; Wed,
	06 Jun 2012 11:40:57 -0700 (PDT)
Received: by 10.68.202.8 with HTTP; Wed, 6 Jun 2012 11:40:57 -0700 (PDT)
In-Reply-To: <20120606183127.68447106566B@hub.freebsd.org>
References: <20120606183127.68447106566B@hub.freebsd.org>
Date: Wed, 6 Jun 2012 11:40:57 -0700
Message-ID: <CAHu1Y71_JwPSv13WQJXmkBX=bjCzhuW7+SPxwuz_1=o9qckpsw@mail.gmail.com>
From: Michael Sierchio <kudzu@tenebras.com>
To: Simon <simon@optinet.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQk/vP8DNk83JcCeIFXZBwL0jZFB5nWd+hF5WNaYryqwF77KuPm//A4sp6KObMGvhw+TB4Us
Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject: Re: Proper Port Forwarding
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jun 2012 18:40:58 -0000

On Wed, Jun 6, 2012 at 11:31 AM, Simon <simon@optinet.com> wrote:

> This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW
> stops forwarding using the rule above because of "too many dynamic rules"

Change the defaults for the fw.dyn sysctl MIB nodes

to something like

net.inet.ip.fw.dyn_short_lifetime=3
net.inet.ip.fw.dyn_udp_lifetime=3
net.inet.ip.fw.dyn_rst_lifetime=1
net.inet.ip.fw.dyn_fin_lifetime=1
net.inet.ip.fw.dyn_syn_lifetime=10