Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states

[Dmitry S. Kasterin]

> Thank you for the "allow tcp from me to any established" rule,
> I'll give it a try later.

Ok, I've tested this - no oddity/"frozen" connection.  As expected.
This is an excerpt from the ruleset (ipfw show):

00101  4759  2588637 allow tcp from any to any established
00102   206    12360 allow tcp from me to any setup

00777     0        0 deny log logamount 16 ip from any to any


> I didn't change anything. Quite possible dyn_fin_lifetime is too
> small. I'll try to raise it.

# sysctl net.inet.ip.fw.dyn_fin_lifetime=4
net.inet.ip.fw.dyn_fin_lifetime: 1 -> 4
# sysctl net.inet.ip.fw.dyn_rst_lifetime=4
net.inet.ip.fw.dyn_rst_lifetime: 1 -> 4

The situation is better, but I am still having troubles with "heavy"
sites (images, JS an so on; for example  -
http://cnx.org/content/m16336/latest/ ).
And still I can see odd packets from "deny log all from any to any" rule:

15:09:58.654613 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq
3948689318, ack 1903284725, ...
15:09:59.158612 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq
0, ack 1, ...
15:09:59.222114 IP 213.180.193.14.80 > w.x.y.z.11215: Flags [F.], seq
1, ack 0, ...
15:09:59.966611 IP w.x.y.z.11215 > 213.180.193.14.80: Flags [F.], seq
0, ack 1, ...

15:51:43.244361 IP 128.42.169.34.80 > w.x.y.z.13876: Flags [F.], seq
3534903525, ack 108808080, ...
15:51:49.418317 IP 128.42.169.34.80 > w.x.y.z.13876: Flags [F.], seq
0, ack 1, ...

15:58:47.664606 IP w.x.y.z.32748 > 195.91.160.36.80: Flags [F.], seq
3277652538, ack 2683877393, ...
15:58:49.106924 IP 195.91.160.36.80 > w.x.y.z.32748: Flags [F.], seq
1, ack 0, ...