From owner-freebsd-questions  Thu Jan 31 21:40:36 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49])
	by hub.freebsd.org (Postfix) with ESMTP id 6878737B400
	for <freebsd-questions@freebsd.org>; Thu, 31 Jan 2002 21:40:34 -0800 (PST)
Received: from user-33qtmu3.dsl.mindspring.com ([199.174.219.195] helo=gohan.cjclark.org)
	by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 16WWR4-00045r-00; Thu, 31 Jan 2002 21:40:32 -0800
Received: (from cjc@localhost)
	by gohan.cjclark.org (8.11.6/8.11.1) id g115eGQ82298;
	Thu, 31 Jan 2002 21:40:16 -0800 (PST)
	(envelope-from cjc)
Date: Thu, 31 Jan 2002 21:40:14 -0800
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Mario Doria <madd@tecdigital.net>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: IPFW Keep-state ruleset sysctl values
Message-ID: <20020131214014.K152@gohan.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <009b01c1aad6$5f146560$0a00a8c0@Deathstar>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <009b01c1aad6$5f146560$0a00a8c0@Deathstar>; from madd@tecdigital.net on Thu, Jan 31, 2002 at 10:10:16PM -0600
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Thu, Jan 31, 2002 at 10:10:16PM -0600, Mario Doria wrote:
[snip]

> After changing IPF with IPFW, I noticed that connections timed out very
> quickly. I changed
> net.inet.ip.fw.dyn_ack_lifetime to 14400 and it got better. When using IPF,
> connections timed out at 86400 seconds (I think) which is way more thant
> 14400. I *think* the IPF timeout is the one specified for TCP/IP but I think
> 14400 (4 hours) is more realistical. Question is: Is this change going to
> affect me in other ways?

I don't think that there is such thing as a "specified" timeout for
firewalls. (And if there was firewalls by their very nature tend to be
broken with respect to certain requirements for hosts and routers.)

> Second doubt here, I also changed the sysctl value of net.inet.ip.fw.dyn_max
> to 3000. Is this too much or too little?.
> The machine is a midly loaded webserver, which also serves as a Samba server
> for 20 multimedia users (meaning they open a bazillion files at once). I
> don't know how many dynamic rules is the maximum for IPF, I thought 3000 was
> reasonable.

With vague statements like, "mildly loaded webserver," which could
mean a _very_ broad range, I don't think you can get much
help from the list. However, the best thing will probably just be to
see what value works for you. The firewall will log the problem if you
do bump into the rule limit, so you will know if it happens.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message