Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK
states
Michael Sierchio
kudzu at tenebras.com
Tue Apr 17 19:58:55 UTC 2012
On Tue, Apr 17, 2012 at 12:48 PM, Kevin Oberman <kob6558 at gmail.com> wrote:
>
> But I do have to ask why you find statefull rules for outgoing TCP
> connections desirable? Why not:
> 00101 allow tcp from me to any established
>
> It's useful and appropriate to have outbound connections be stateful.
It's not a good idea to have inbound connections stateful, as it makes it
easy to fill up the state table.
To the OP:
Look at the kernel tunables:
net.inet.ip.fw.dyn_rst_lifetime
net.inet.ip.fw.dyn_fin_lifetime
net.inet.ip.fw.dyn_syn_lifetime
net.inet.ip.fw.dyn_ack_lifetime
More information about the freebsd-net
mailing list