Date: Fri, 10 Sep 2010 13:49:08 +0200 From: Gareth de Vaux <bsd@lordcow.org> To: stable@freebsd.org Subject: Re: ipfw: Too many dynamic rules Message-ID: <20100910114908.GA55978@lordcow.org> In-Reply-To: <20100909162009.GA80375@icarus.home.lan> References: <20100909153902.GA28341@lordcow.org> <20100909162009.GA80375@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu 2010-09-09 (09:20), Jeremy Chadwick wrote: > Secondly, I'm fairly certain HTTP KeepAlive (re: KeepAliveTimeout) are > unrelated to TCP keepalives[1]. I mention this because you're focusing > on netstat, which will give you indication of TCP session state, not > HTTP protocol statefulness. Gotcha > Thirdly, if you feel FIN_WAIT2 is the cause of your problem, then you > should consider adjusting the following sysctl: > > net.inet.tcp.finwait2_timeout > > Try something like 15000 (15 seconds) instead of the default (60000). Ok that seems to be doing something. Will report back later. > Finally, why are you using dynamic firewall rules at all? So that I can identify legitimate(ish) traffic and drop the rest. > For what purpose do you need these that, say, pf and its state > tracking would not suffice? I haven't used pf. I started with ipfw and its done the trick so far. What's the difference between pf and ipfw's state tracking in this respect?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100910114908.GA55978>