cswiger at mac.com
Mon Feb 26 16:40:26 UTC 2007
Grant Peel wrote:
[ ... ]
> sysctl net.inet.ip.fw.dyn_keepalive=0
> and in about 10 minutes all FIN_WAIT_2 's dissappear. (well almost all).
> I expect it virtually shut down dynamic rules too in ipfw, but I have
> been reading more and more that people are saying don't use dynamics on
> a busy site. Anyone care to comment.
That's some interesting feedback. There's probably another tunable for how
long IPFW dynamic rules are supposed to persist by default.
In answer to your closing remark, I would attempt to configure static rules
for known-permitted services, especially the most commonly used ones, and rely
on dynamic rules only for ad-hoc internal traffic, and not for inbound client
More information about the freebsd-questions