Date: Fri, 10 Sep 2010 13:49:08 +0200 From: Gareth de Vaux <bsd@lordcow.org> To: stable@freebsd.org Subject: Re: ipfw: Too many dynamic rules Message-ID: <20100910114908.GA55978@lordcow.org> In-Reply-To: <20100909162009.GA80375@icarus.home.lan> References: <20100909153902.GA28341@lordcow.org> <20100909162009.GA80375@icarus.home.lan>
index | next in thread | previous in thread | raw e-mail
On Thu 2010-09-09 (09:20), Jeremy Chadwick wrote: > Secondly, I'm fairly certain HTTP KeepAlive (re: KeepAliveTimeout) are > unrelated to TCP keepalives[1]. I mention this because you're focusing > on netstat, which will give you indication of TCP session state, not > HTTP protocol statefulness. Gotcha > Thirdly, if you feel FIN_WAIT2 is the cause of your problem, then you > should consider adjusting the following sysctl: > > net.inet.tcp.finwait2_timeout > > Try something like 15000 (15 seconds) instead of the default (60000). Ok that seems to be doing something. Will report back later. > Finally, why are you using dynamic firewall rules at all? So that I can identify legitimate(ish) traffic and drop the rest. > For what purpose do you need these that, say, pf and its state > tracking would not suffice? I haven't used pf. I started with ipfw and its done the trick so far. What's the difference between pf and ipfw's state tracking in this respect?home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100910114908.GA55978>