From owner-freebsd-net@FreeBSD.ORG  Tue Apr 17 19:58:55 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id B94F8106568D
	for <freebsd-net@freebsd.org>; Tue, 17 Apr 2012 19:58:55 +0000 (UTC)
	(envelope-from kudzu@tenebras.com)
Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com
	[209.85.213.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 6D5A48FC22
	for <freebsd-net@freebsd.org>; Tue, 17 Apr 2012 19:58:55 +0000 (UTC)
Received: by yenl9 with SMTP id l9so4013162yen.13
	for <freebsd-net@freebsd.org>; Tue, 17 Apr 2012 12:58:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:x-gm-message-state;
	bh=LlqzvhUaLWayyQVXd6DlFzLcLPLXEmPvbKRaSHXYMh4=;
	b=WC7GEi9JUWzNsaJyk5rpKvXPtrWspzHo+GCvcaCzE7R37Mg1SiJLMnz+a3iiS1PRyJ
	IPfKdeNxlR/aa3UpBUI9PEa352mPr1R2V6Ob0ERJKhk8athP7vUQ7sypO1xJQffTKV0P
	hVtA8rDu96ZghmtNmDrcLCmyYfoTcxUL0QyOHa7V2bJhGM6Vp0yBBQnBLdQ9vdadIR3Q
	zqlhw6GJ+bhLNNAoRSCr20q9PmC/BoM6pMgrouOaaim768bSM28PhsKbjdT87Hg/IMid
	CDY++CTnPJdwLcnwM4zDHmOSGG/FvpnkTFZMx4YNc3tAXhmzEd0uOiMht1WBijzA9Vbb
	ZVTg==
MIME-Version: 1.0
Received: by 10.236.175.41 with SMTP id y29mr17004665yhl.60.1334692734998;
	Tue, 17 Apr 2012 12:58:54 -0700 (PDT)
Received: by 10.236.18.135 with HTTP; Tue, 17 Apr 2012 12:58:54 -0700 (PDT)
In-Reply-To: <CAN6yY1uRrfv0Bdeb+tosna8O8ajD_H1j7N=akL7PS8XC3X09qA@mail.gmail.com>
References: <CAJkxAbyMEYZ4pYu=z4Sfwdqtzh=PjhHE4qrbSsyL34YE9TnXZQ@mail.gmail.com>
	<CAJkxAbyi7hx9Dugtw5-Md1y77JRzOu3bygS8ntfQg+kw1KZ63w@mail.gmail.com>
	<CAN6yY1uRrfv0Bdeb+tosna8O8ajD_H1j7N=akL7PS8XC3X09qA@mail.gmail.com>
Date: Tue, 17 Apr 2012 12:58:54 -0700
Message-ID: <CAHu1Y72HG00_yv0wyk_7rRC1bb0SNa+cEOoXZTALV6bkBj207g@mail.gmail.com>
From: Michael Sierchio <kudzu@tenebras.com>
To: Kevin Oberman <kob6558@gmail.com>
X-Gm-Message-State: ALoCoQk5amvmsIqN8BnHosAAb1WqksieGbgnL0+OOJgRn+0UDSZql7SpQV+kcHLMC396uYkrio2y
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-net@freebsd.org, "Dmitry S. Kasterin" <dmk.sbor@gmail.com>
Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK
	states
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2012 19:58:55 -0000

On Tue, Apr 17, 2012 at 12:48 PM, Kevin Oberman <kob6558@gmail.com> wrote:

>
> But I do have to ask why you find statefull rules for outgoing TCP
> connections desirable? Why not:
> 00101 allow tcp from me to any established
>
> It's useful and appropriate to have outbound connections be stateful.
 It's not a good idea to have inbound connections stateful, as it makes it
easy to fill up the state table.

To the OP:

Look at the kernel tunables:

net.inet.ip.fw.dyn_rst_lifetime
net.inet.ip.fw.dyn_fin_lifetime
net.inet.ip.fw.dyn_syn_lifetime
net.inet.ip.fw.dyn_ack_lifetime