Date: Thu, 07 Jun 2012 13:15:14 -0400 From: Michael Powell <nightrecon@hotmail.com> To: freebsd-questions@freebsd.org Subject: Re: Proper Port Forwarding Message-ID: <jqqni9$kh0$1@dough.gmane.org> References: <20120606183127.68447106566B@hub.freebsd.org> <CAHu1Y71_JwPSv13WQJXmkBX=bjCzhuW7%2BSPxwuz_1=o9qckpsw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Sierchio wrote: > On Wed, Jun 6, 2012 at 11:31 AM, Simon <simon@optinet.com> wrote: > >> This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW >> stops forwarding using the rule above because of "too many dynamic rules" > > Change the defaults for the fw.dyn sysctl MIB nodes > > to something like > > net.inet.ip.fw.dyn_short_lifetime=3 > net.inet.ip.fw.dyn_udp_lifetime=3 > net.inet.ip.fw.dyn_rst_lifetime=1 > net.inet.ip.fw.dyn_fin_lifetime=1 > net.inet.ip.fw.dyn_syn_lifetime=10 There is also this you can place in /etc/sysctl.conf: net.inet.tcp.fast_finwait2_recycle=1 I do this for my web servers. It helps reduce the volume somewhat of FIN_WAIT_2 from building up by expiring them sooner. -Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?jqqni9$kh0$1>