Proper Port Forwarding
Ian Smith
smithi at nimnet.asn.au
Thu Jun 7 16:25:34 UTC 2012
In freebsd-questions Digest, Vol 418, Issue 10, Message: 7
On Wed, 06 Jun 2012 14:31:24 -0400 "Simon" <simon at optinet.com> wrote:
> Can someone suggest an alternative/proper way to port forward using ipfw. Right
> now I have the following and some bad clients cause too many FIN_WAIT_2 state
>
> fwd IP,PORT2 tcp from any to me dst-port PORT1 keep-state
>
> This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW
> stops forwarding using the rule above because of "too many dynamic rules"
Michael's and Dan's suggestions of adjusting sysctl net.inet.ip.fw.dyn*
variables are good; consider also using 'limit' instead of 'keep-state',
which works the same except limiting the number of open connections to a
specified number. See ipfw(8) /limit and /EXAMPLES for more, but eg:
fwd IP,PORT2 tcp from any to me dst-port PORT1 limit src-addr 9
to prevent any one source address opening more than 9 connections, or
fwd IP,PORT2 tcp from any to me dst-port PORT1 limit dst-port 42
to limit total open connections by everyone to dst-port PORT1 to 42.
cheers, Ian
More information about the freebsd-questions
mailing list