Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 07 Jun 2012 13:15:14 -0400
From:      Michael Powell <nightrecon@hotmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Proper Port Forwarding
Message-ID:  <jqqni9$kh0$1@dough.gmane.org>
References:  <20120606183127.68447106566B@hub.freebsd.org> <CAHu1Y71_JwPSv13WQJXmkBX=bjCzhuW7%2BSPxwuz_1=o9qckpsw@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Michael Sierchio wrote:

> On Wed, Jun 6, 2012 at 11:31 AM, Simon <simon@optinet.com> wrote:
> 
>> This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW
>> stops forwarding using the rule above because of "too many dynamic rules"
> 
> Change the defaults for the fw.dyn sysctl MIB nodes
> 
> to something like
> 
> net.inet.ip.fw.dyn_short_lifetime=3
> net.inet.ip.fw.dyn_udp_lifetime=3
> net.inet.ip.fw.dyn_rst_lifetime=1
> net.inet.ip.fw.dyn_fin_lifetime=1
> net.inet.ip.fw.dyn_syn_lifetime=10

There is also this you can place in /etc/sysctl.conf:

net.inet.tcp.fast_finwait2_recycle=1

I do this for my web servers. It helps reduce the volume somewhat  of 
FIN_WAIT_2 from building up by expiring them sooner. 

-Mike





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?jqqni9$kh0$1>