From owner-freebsd-stable@FreeBSD.ORG  Fri Sep 10 12:35:43 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B26F2106564A
	for <stable@freebsd.org>; Fri, 10 Sep 2010 12:35:43 +0000 (UTC)
	(envelope-from bsd@lordcow.org)
Received: from lordcow.org (lordcow.org [41.203.5.188])
	by mx1.freebsd.org (Postfix) with ESMTP id D56B48FC08
	for <stable@freebsd.org>; Fri, 10 Sep 2010 12:35:42 +0000 (UTC)
Received: from lordcow.org (localhost [127.0.0.1])
	by lordcow.org (8.14.4/8.14.4) with ESMTP id o8ACZXRV059704
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO)
	for <stable@freebsd.org>; Fri, 10 Sep 2010 14:35:33 +0200 (SAST)
	(envelope-from lordcow@lordcow.org)
Received: (from lordcow@localhost)
	by lordcow.org (8.14.4/8.14.4/Submit) id o8ACZRTd059702
	for stable@freebsd.org; Fri, 10 Sep 2010 14:35:27 +0200 (SAST)
	(envelope-from lordcow)
Date: Fri, 10 Sep 2010 14:35:27 +0200
From: Gareth de Vaux <bsd@lordcow.org>
To: stable@freebsd.org
Message-ID: <20100910123527.GB55978@lordcow.org>
References: <20100909153902.GA28341@lordcow.org>
	<20100910023132.E73353@sola.nimnet.asn.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20100910023132.E73353@sola.nimnet.asn.au>
User-Agent: Mutt/1.4.2.3i
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lordcow.org
Cc: 
Subject: Re: ipfw: Too many dynamic rules
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2010 12:35:43 -0000

On Fri 2010-09-10 (03:18), Ian Smith wrote:
> Try using 'limit' rather than the unlimited 'keep-state' for inbound 
> dynamic connections to your server/s.  eg, derived from ipfw(8):

These are mostly legitimate connections though, they just aren't being
closed properly. So if limit were to have an affect in my scenario, it
would just prevent legitimate users from reconnecting.