From owner-freebsd-net@FreeBSD.ORG Sat Mar 26 10:20:50 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6555E16A4CE for ; Sat, 26 Mar 2005 10:20:50 +0000 (GMT) Received: from relay01.pair.com (relay01.pair.com [209.68.5.15]) by mx1.FreeBSD.org (Postfix) with SMTP id DAA5843D1D for ; Sat, 26 Mar 2005 10:20:49 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 2519 invoked from network); 26 Mar 2005 10:20:48 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 26 Mar 2005 10:20:48 -0000 X-pair-Authenticated: 209.68.2.70 Date: Sat, 26 Mar 2005 04:20:47 -0600 (CST) From: Mike Silbersack To: Robert Gogolok In-Reply-To: <4240A09E.9070007@web.de> Message-ID: <20050326041751.X30898@odysseus.silby.com> References: <42401B2A.70308@web.de> <4240A09E.9070007@web.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-net@freebsd.org Subject: Re: FIN_WAIT_2 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Mar 2005 10:20:50 -0000 On Tue, 22 Mar 2005, Robert Gogolok wrote: > http://lists.freebsd.org/mailman/htdig/freebsd-ipfw/2003-May/000204.html is > the same problem or similar problem. > Forgot to mention thge important fact I use ipfw, bad bad... > > With > # sysctl net.inet.ip.fw.dyn_keepalive=0 > the FIN_WAIT_2 connections cleaned all up within a few minutes. > > > Robert You probably shouldn't use ipfw stateful rules to protect FreeBSD; I don't think it provides any benefit (unless you're using some concurrent connection limiting or something.) OTOH, blocking inbound packets to ports which are supposed to be unused and using stateful rules to allow outbound connections is certainly a good idea. Mike "Silby" Silbersack