IPFW Problems
Tim Gustafson
tjg at soe.ucsc.edu
Wed Nov 2 16:56:42 UTC 2011
> You may want to tweak the sysctl items that control the lifespan
> of dynamic rules.
>
> sysctl net.inet.ip.fw
>
> in particular, the default value of net.inet.ip.fw.dyn_ack_lifetime
> is probably way too long for your purposes.
Here's what I have right now:
root at bsd-02: sysctl net.inet.ip.fw
net.inet.ip.fw.static_count: 48
net.inet.ip.fw.default_to_accept: 0
net.inet.ip.fw.tables_max: 128
net.inet.ip.fw.default_rule: 65535
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.verbose: 0
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.enable: 1
net.inet.ip.fw.dyn_keepalive: 1
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_max: 32768
net.inet.ip.fw.dyn_count: 805
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_buckets: 256
I'm assuming that's in seconds. Is 300 seconds too long? It seems like the dynamic rules are hanging around for hours or days, and I think the timeout is getting reset by the fact that the system is constantly sending out ACK packets to clients that aren't acknowledging them.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Tim Gustafson tjg at soe.ucsc.edu
Baskin School of Engineering 831-459-5354
UC Santa Cruz Baskin Engineering 317B
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
More information about the freebsd-ipfw
mailing list