ipfw: Too many dynamic rules
Gareth de Vaux
bsd at lordcow.org
Fri Sep 10 11:49:23 UTC 2010
On Thu 2010-09-09 (09:20), Jeremy Chadwick wrote:
> Secondly, I'm fairly certain HTTP KeepAlive (re: KeepAliveTimeout) are
> unrelated to TCP keepalives[1]. I mention this because you're focusing
> on netstat, which will give you indication of TCP session state, not
> HTTP protocol statefulness.
Gotcha
> Thirdly, if you feel FIN_WAIT2 is the cause of your problem, then you
> should consider adjusting the following sysctl:
>
> net.inet.tcp.finwait2_timeout
>
> Try something like 15000 (15 seconds) instead of the default (60000).
Ok that seems to be doing something. Will report back later.
> Finally, why are you using dynamic firewall rules at all?
So that I can identify legitimate(ish) traffic and drop the rest.
> For what purpose do you need these that, say, pf and its state
> tracking would not suffice?
I haven't used pf. I started with ipfw and its done the trick so far.
What's the difference between pf and ipfw's state tracking in this
respect?
More information about the freebsd-stable
mailing list