From owner-freebsd-net@FreeBSD.ORG  Sat Apr 21 16:08:36 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9D85D106566B
	for <freebsd-net@freebsd.org>; Sat, 21 Apr 2012 16:08:36 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from nk11p00mm-asmtp001.mac.com (nk11p00mm-asmtp001.mac.com
	[17.158.161.0]) by mx1.freebsd.org (Postfix) with ESMTP id 2610B8FC08
	for <freebsd-net@freebsd.org>; Sat, 21 Apr 2012 16:08:36 +0000 (UTC)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII
Received: from [17.153.54.18] (unknown [17.153.54.18])
	by nk11p00mm-asmtp001.mac.com
	(Oracle Communications Messaging Server 7u4-23.01(7.0.4.23.0) 64bit
	(built Aug
	10 2011)) with ESMTPSA id <0M2U0018O7I46220@nk11p00mm-asmtp001.mac.com>
	for freebsd-net@freebsd.org; Sat, 21 Apr 2012 16:08:30 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure
	engine=2.50.10432:5.6.7580,1.0.260,0.0.0000
	definitions=2012-04-21_05:2012-04-21, 2012-04-21,
	1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
	ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0
	classifier=spam
	adjust=0 reason=mlx scancount=1 engine=6.0.2-1012030000
	definitions=main-1204210175
From: Chuck Swiger <cswiger@mac.com>
In-reply-to: <CAJkxAbxwc1Xq7S9Hvkwg-ZtTW5GpOWv9ceHYRCa_WBJipS54+Q@mail.gmail.com>
Date: Sat, 21 Apr 2012 09:08:28 -0700
Message-id: <4D11B17F-B0D4-4F71-A597-4A309D39C7B4@mac.com>
References: <CAJkxAbyMEYZ4pYu=z4Sfwdqtzh=PjhHE4qrbSsyL34YE9TnXZQ@mail.gmail.com>
	<CAJkxAbyi7hx9Dugtw5-Md1y77JRzOu3bygS8ntfQg+kw1KZ63w@mail.gmail.com>
	<CAN6yY1uRrfv0Bdeb+tosna8O8ajD_H1j7N=akL7PS8XC3X09qA@mail.gmail.com>
	<CAHu1Y72HG00_yv0wyk_7rRC1bb0SNa+cEOoXZTALV6bkBj207g@mail.gmail.com>
	<CAN6yY1s608M5coYP76OvBvOqd5HqZFyaiVb8PdviGFVN-Do1sg@mail.gmail.com>
	<CAJkxAbyG1+kc8C_V8Ehr7cuYuaGm0VQ1C6gfXJUp1_7Vh4_zug@mail.gmail.com>
	<CAJkxAbwYUtcyXGFEiXiZXLEzf9EPTTwdq1-y-ngT6OuKXk1o2A@mail.gmail.com>
	<CAN6yY1tHvKhk4PLTmS6Yv9PvNoKdBV_fhR5UhKM2_ua8zh-d0Q@mail.gmail.com>
	<CAJkxAbxwc1Xq7S9Hvkwg-ZtTW5GpOWv9ceHYRCa_WBJipS54+Q@mail.gmail.com>
To: "Dmitry S. Kasterin" <dmk.sbor@gmail.com>
X-Mailer: Apple Mail (2.1084)
Cc: freebsd-net <freebsd-net@freebsd.org>
Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK
 states
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Apr 2012 16:08:36 -0000

On Apr 21, 2012, at 4:41 AM, Dmitry S. Kasterin wrote:
> The "DYNAMIC RULES" section gives the following recommendation:
> 	   ipfw add check-state
> 	   ipfw add deny tcp from any to any established
> 	   ipfw add allow tcp from my-net to any setup keep-state
> 
> Is the second rule necessary?

If your security policy is "default deny", then yes.

Regards,
-- 
-Chuck