Date: Wed, 6 Jun 2012 13:50:18 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Michael Sierchio <kudzu@tenebras.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>, Simon <simon@optinet.com> Subject: Re: Proper Port Forwarding Message-ID: <20120606185018.GA67937@dan.emsphone.com> In-Reply-To: <CAHu1Y71_JwPSv13WQJXmkBX=bjCzhuW7%2BSPxwuz_1=o9qckpsw@mail.gmail.com> References: <20120606183127.68447106566B@hub.freebsd.org> <CAHu1Y71_JwPSv13WQJXmkBX=bjCzhuW7%2BSPxwuz_1=o9qckpsw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Jun 06), Michael Sierchio said: > On Wed, Jun 6, 2012 at 11:31 AM, Simon <simon@optinet.com> wrote: > > > This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW > > stops forwarding using the rule above because of "too many dynamic > > rules" > > Change the defaults for the fw.dyn sysctl MIB nodes > > to something like > > net.inet.ip.fw.dyn_short_lifetime=3 > net.inet.ip.fw.dyn_udp_lifetime=3 > net.inet.ip.fw.dyn_rst_lifetime=1 > net.inet.ip.fw.dyn_fin_lifetime=1 > net.inet.ip.fw.dyn_syn_lifetime=10 Or raise net.inet.ip.fw.dyn_max to a larger number. The default 4096 may be too small. -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120606185018.GA67937>