Chuck Swiger cswiger at mac.com
Mon Feb 26 16:40:26 UTC 2007

Grant Peel wrote:
[ ... ]
> sysctl net.inet.ip.fw.dyn_keepalive=0
> and in about 10 minutes all FIN_WAIT_2 's dissappear. (well almost all).
> I expect it virtually shut down dynamic rules too in ipfw, but I have 
> been reading more and more that people are saying don't use dynamics on 
> a busy site. Anyone care to comment.

That's some interesting feedback.  There's probably another tunable for how 
long IPFW dynamic rules are supposed to persist by default.

In answer to your closing remark, I would attempt to configure static rules 
for known-permitted services, especially the most commonly used ones, and rely 
on dynamic rules only for ad-hoc internal traffic, and not for inbound client 


More information about the freebsd-questions mailing list