Proper Port Forwarding
Dan Nelson
dnelson at allantgroup.com
Wed Jun 6 18:50:26 UTC 2012
In the last episode (Jun 06), Michael Sierchio said:
> On Wed, Jun 6, 2012 at 11:31 AM, Simon <simon at optinet.com> wrote:
>
> > This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW
> > stops forwarding using the rule above because of "too many dynamic
> > rules"
>
> Change the defaults for the fw.dyn sysctl MIB nodes
>
> to something like
>
> net.inet.ip.fw.dyn_short_lifetime=3
> net.inet.ip.fw.dyn_udp_lifetime=3
> net.inet.ip.fw.dyn_rst_lifetime=1
> net.inet.ip.fw.dyn_fin_lifetime=1
> net.inet.ip.fw.dyn_syn_lifetime=10
Or raise net.inet.ip.fw.dyn_max to a larger number. The default 4096 may be
too small.
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-questions
mailing list