IPFW Problems

[Tim Gustafson]

> You may want to tweak the sysctl items that control the lifespan
> of dynamic rules.
> 
> sysctl net.inet.ip.fw
> 
> in particular, the default value of net.inet.ip.fw.dyn_ack_lifetime
> is probably way too long for your purposes.

Here's what I have right now:

root at bsd-02: sysctl net.inet.ip.fw
net.inet.ip.fw.static_count: 48
net.inet.ip.fw.default_to_accept: 0
net.inet.ip.fw.tables_max: 128
net.inet.ip.fw.default_rule: 65535
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.verbose: 0
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.enable: 1
net.inet.ip.fw.dyn_keepalive: 1
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_max: 32768
net.inet.ip.fw.dyn_count: 805
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_buckets: 256

I'm assuming that's in seconds.  Is 300 seconds too long?  It seems like the dynamic rules are hanging around for hours or days, and I think the timeout is getting reset by the fact that the system is constantly sending out ACK packets to clients that aren't acknowledging them.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Tim Gustafson                                                tjg at soe.ucsc.edu
Baskin School of Engineering                                     831-459-5354
UC Santa Cruz                                         Baskin Engineering 317B
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-