From owner-freebsd-questions Thu Jan 31 20:10:44 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.tecdigital.net (tecdigital.tol.itesm.mx [132.254.97.16]) by hub.freebsd.org (Postfix) with ESMTP id C1BD937B404 for ; Thu, 31 Jan 2002 20:10:36 -0800 (PST) Received: from Deathstar (unknown [148.243.246.158]) by mail.tecdigital.net (Postfix) with ESMTP id 22E871D20 for ; Thu, 31 Jan 2002 22:10:10 -0600 (CST) Message-ID: <009b01c1aad6$5f146560$0a00a8c0@Deathstar> From: "Mario Doria" To: Subject: IPFW Keep-state ruleset sysctl values Date: Thu, 31 Jan 2002 22:10:16 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, First, my ruleset in IPFW only allows the initial connection packet and creates a dynamic rule. I'm trying to make my ruleset in IPFW just like what I had with IPF. I moved from IPF because I was experiencing random connection losses on two different machines, and someone in the ipfilter@ mailing list also running 4.5-STABLE was experiencing the same problems; so, I'm trying IPFW to see who's really the culprit (the NIC has been changed twice). After changing IPF with IPFW, I noticed that connections timed out very quickly. I changed net.inet.ip.fw.dyn_ack_lifetime to 14400 and it got better. When using IPF, connections timed out at 86400 seconds (I think) which is way more thant 14400. I *think* the IPF timeout is the one specified for TCP/IP but I think 14400 (4 hours) is more realistical. Question is: Is this change going to affect me in other ways? Second doubt here, I also changed the sysctl value of net.inet.ip.fw.dyn_max to 3000. Is this too much or too little?. The machine is a midly loaded webserver, which also serves as a Samba server for 20 multimedia users (meaning they open a bazillion files at once). I don't know how many dynamic rules is the maximum for IPF, I thought 3000 was reasonable. Thanks for your help, Mario Doria madd@tecdigital.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message