From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 2 16:46:52 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1337106566C for ; Wed, 2 Nov 2011 16:46:52 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42]) by mx1.freebsd.org (Postfix) with ESMTP id 726558FC12 for ; Wed, 2 Nov 2011 16:46:52 +0000 (UTC) Received: by wwf22 with SMTP id 22so4838115wwf.1 for ; Wed, 02 Nov 2011 09:46:51 -0700 (PDT) MIME-Version: 1.0 Received: by 10.227.204.204 with SMTP id fn12mr6463386wbb.21.1320252411085; Wed, 02 Nov 2011 09:46:51 -0700 (PDT) Received: by 10.180.81.193 with HTTP; Wed, 2 Nov 2011 09:46:51 -0700 (PDT) In-Reply-To: <1048019764.24079.1320248771403.JavaMail.root@mail-01.cse.ucsc.edu> References: <1335821625.24060.1320248576610.JavaMail.root@mail-01.cse.ucsc.edu> <1048019764.24079.1320248771403.JavaMail.root@mail-01.cse.ucsc.edu> Date: Wed, 2 Nov 2011 09:46:51 -0700 Message-ID: From: Michael Sierchio To: Tim Gustafson Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW Problems X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2011 16:46:52 -0000 On Wed, Nov 2, 2011 at 8:46 AM, Tim Gustafson wrote: > What I've been noticing is that the web server is accumulating a large nu= mber of dynamic rules that are not going away... > Can anyone help me understand what is going on here? =A0Have I found some= sort of bug, or do I have my firewall incorrectly configured? You may want to tweak the sysctl items that control the lifespan of dynamic rules. sysctl net.inet.ip.fw in particular, the default value of net.inet.ip.fw.dyn_ack_lifetime is probably way too long for your purposes.