From owner-freebsd-questions@FreeBSD.ORG  Thu Jun  7 17:15:02 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id C81E0106567E
	for <freebsd-questions@freebsd.org>;
	Thu,  7 Jun 2012 17:15:02 +0000 (UTC)
	(envelope-from freebsd-questions@m.gmane.org)
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3])
	by mx1.freebsd.org (Postfix) with ESMTP id 7C0088FC1A
	for <freebsd-questions@freebsd.org>;
	Thu,  7 Jun 2012 17:15:02 +0000 (UTC)
Received: from list by plane.gmane.org with local (Exim 4.69)
	(envelope-from <freebsd-questions@m.gmane.org>) id 1ScgIW-0001mu-K4
	for freebsd-questions@freebsd.org; Thu, 07 Jun 2012 19:15:00 +0200
Received: from pool-173-79-82-23.washdc.fios.verizon.net ([173.79.82.23])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Thu, 07 Jun 2012 19:15:00 +0200
Received: from nightrecon by pool-173-79-82-23.washdc.fios.verizon.net with
	local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Thu, 07 Jun 2012 19:15:00 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: freebsd-questions@freebsd.org
From: Michael Powell <nightrecon@hotmail.com>
Date: Thu, 07 Jun 2012 13:15:14 -0400
Lines: 26
Message-ID: <jqqni9$kh0$1@dough.gmane.org>
References: <20120606183127.68447106566B@hub.freebsd.org>
	<CAHu1Y71_JwPSv13WQJXmkBX=bjCzhuW7+SPxwuz_1=o9qckpsw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7Bit
X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: pool-173-79-82-23.washdc.fios.verizon.net
Subject: Re: Proper Port Forwarding
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: nightrecon@hotmail.com
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2012 17:15:02 -0000

Michael Sierchio wrote:

> On Wed, Jun 6, 2012 at 11:31 AM, Simon <simon@optinet.com> wrote:
> 
>> This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW
>> stops forwarding using the rule above because of "too many dynamic rules"
> 
> Change the defaults for the fw.dyn sysctl MIB nodes
> 
> to something like
> 
> net.inet.ip.fw.dyn_short_lifetime=3
> net.inet.ip.fw.dyn_udp_lifetime=3
> net.inet.ip.fw.dyn_rst_lifetime=1
> net.inet.ip.fw.dyn_fin_lifetime=1
> net.inet.ip.fw.dyn_syn_lifetime=10

There is also this you can place in /etc/sysctl.conf:

net.inet.tcp.fast_finwait2_recycle=1

I do this for my web servers. It helps reduce the volume somewhat  of 
FIN_WAIT_2 from building up by expiring them sooner. 

-Mike