From owner-freebsd-questions@FreeBSD.ORG  Thu Jun  7 16:25:34 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9E844106564A
	for <freebsd-questions@freebsd.org>;
	Thu,  7 Jun 2012 16:25:34 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
	by mx1.freebsd.org (Postfix) with ESMTP id 24CBF8FC0A
	for <freebsd-questions@freebsd.org>;
	Thu,  7 Jun 2012 16:25:33 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id q57GPQE0093850;
	Fri, 8 Jun 2012 02:25:27 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Fri, 8 Jun 2012 02:25:26 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Simon <simon@optinet.com>
In-Reply-To: <20120606212300.80A9E10656B0@hub.freebsd.org>
Message-ID: <20120608015422.W46641@sola.nimnet.asn.au>
References: <20120606212300.80A9E10656B0@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-questions@freebsd.org
Subject: Re: Proper Port Forwarding
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2012 16:25:34 -0000

In freebsd-questions Digest, Vol 418, Issue 10, Message: 7
On Wed, 06 Jun 2012 14:31:24 -0400 "Simon" <simon@optinet.com> wrote:

 > Can someone suggest an alternative/proper way to port forward using ipfw. Right
 > now I have the following and some bad clients cause too many FIN_WAIT_2 state
 > 
 > fwd IP,PORT2 tcp from any to me dst-port PORT1 keep-state
 > 
 > This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW
 > stops forwarding using the rule above because of "too many dynamic rules"

Michael's and Dan's suggestions of adjusting sysctl net.inet.ip.fw.dyn* 
variables are good; consider also using 'limit' instead of 'keep-state', 
which works the same except limiting the number of open connections to a 
specified number.  See ipfw(8) /limit and /EXAMPLES for more, but eg:

 fwd IP,PORT2 tcp from any to me dst-port PORT1 limit src-addr 9

to prevent any one source address opening more than 9 connections, or

 fwd IP,PORT2 tcp from any to me dst-port PORT1 limit dst-port 42

to limit total open connections by everyone to dst-port PORT1 to 42.

cheers, Ian