Date: Fri, 8 Jun 2012 02:25:26 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Simon <simon@optinet.com> Cc: freebsd-questions@freebsd.org Subject: Re: Proper Port Forwarding Message-ID: <20120608015422.W46641@sola.nimnet.asn.au> In-Reply-To: <20120606212300.80A9E10656B0@hub.freebsd.org> References: <20120606212300.80A9E10656B0@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 418, Issue 10, Message: 7 On Wed, 06 Jun 2012 14:31:24 -0400 "Simon" <simon@optinet.com> wrote: > Can someone suggest an alternative/proper way to port forward using ipfw. Right > now I have the following and some bad clients cause too many FIN_WAIT_2 state > > fwd IP,PORT2 tcp from any to me dst-port PORT1 keep-state > > This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW > stops forwarding using the rule above because of "too many dynamic rules" Michael's and Dan's suggestions of adjusting sysctl net.inet.ip.fw.dyn* variables are good; consider also using 'limit' instead of 'keep-state', which works the same except limiting the number of open connections to a specified number. See ipfw(8) /limit and /EXAMPLES for more, but eg: fwd IP,PORT2 tcp from any to me dst-port PORT1 limit src-addr 9 to prevent any one source address opening more than 9 connections, or fwd IP,PORT2 tcp from any to me dst-port PORT1 limit dst-port 42 to limit total open connections by everyone to dst-port PORT1 to 42. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120608015422.W46641>