From owner-freebsd-questions@FreeBSD.ORG Mon Feb 26 16:40:26 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9623016A405 for ; Mon, 26 Feb 2007 16:40:26 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.freebsd.org (Postfix) with ESMTP id 6850313C4A5 for ; Mon, 26 Feb 2007 16:40:26 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 390CB5F58; Mon, 26 Feb 2007 11:40:25 -0500 (EST) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dbILz6vMOgiV; Mon, 26 Feb 2007 11:40:18 -0500 (EST) Received: from [192.168.1.251] (pool-68-161-114-230.ny325.east.verizon.net [68.161.114.230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 752C25DFA; Mon, 26 Feb 2007 11:40:17 -0500 (EST) Message-ID: <45E30D6E.5090102@mac.com> Date: Mon, 26 Feb 2007 11:40:14 -0500 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Grant Peel References: <00aa01c758c6$f8dadb90$6501a8c0@GRANT> <20070225193804.19bc9280.teklimbu@wlink.com.np> <00d501c759b8$b7dc4870$6501a8c0@GRANT> In-Reply-To: <00d501c759b8$b7dc4870$6501a8c0@GRANT> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Tek Bahadur Limbu , freebsd-questions@freebsd.org Subject: Re: Fw: FIN_WAIT_2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Feb 2007 16:40:26 -0000 Grant Peel wrote: [ ... ] > sysctl net.inet.ip.fw.dyn_keepalive=0 > > and in about 10 minutes all FIN_WAIT_2 's dissappear. (well almost all). > > I expect it virtually shut down dynamic rules too in ipfw, but I have > been reading more and more that people are saying don't use dynamics on > a busy site. Anyone care to comment. That's some interesting feedback. There's probably another tunable for how long IPFW dynamic rules are supposed to persist by default. In answer to your closing remark, I would attempt to configure static rules for known-permitted services, especially the most commonly used ones, and rely on dynamic rules only for ad-hoc internal traffic, and not for inbound client requests. -- -Chuck