Proper Port Forwarding

Ian Smith smithi at nimnet.asn.au
Thu Jun 7 16:25:34 UTC 2012


In freebsd-questions Digest, Vol 418, Issue 10, Message: 7
On Wed, 06 Jun 2012 14:31:24 -0400 "Simon" <simon at optinet.com> wrote:

 > Can someone suggest an alternative/proper way to port forward using ipfw. Right
 > now I have the following and some bad clients cause too many FIN_WAIT_2 state
 > 
 > fwd IP,PORT2 tcp from any to me dst-port PORT1 keep-state
 > 
 > This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW
 > stops forwarding using the rule above because of "too many dynamic rules"

Michael's and Dan's suggestions of adjusting sysctl net.inet.ip.fw.dyn* 
variables are good; consider also using 'limit' instead of 'keep-state', 
which works the same except limiting the number of open connections to a 
specified number.  See ipfw(8) /limit and /EXAMPLES for more, but eg:

 fwd IP,PORT2 tcp from any to me dst-port PORT1 limit src-addr 9

to prevent any one source address opening more than 9 connections, or

 fwd IP,PORT2 tcp from any to me dst-port PORT1 limit dst-port 42

to limit total open connections by everyone to dst-port PORT1 to 42.

cheers, Ian


More information about the freebsd-questions mailing list