ipfw: Too many dynamic rules

Gareth de Vaux bsd at lordcow.org
Fri Sep 10 11:49:23 UTC 2010

On Thu 2010-09-09 (09:20), Jeremy Chadwick wrote:
> Secondly, I'm fairly certain HTTP KeepAlive (re: KeepAliveTimeout) are
> unrelated to TCP keepalives[1].  I mention this because you're focusing
> on netstat, which will give you indication of TCP session state, not
> HTTP protocol statefulness. 


> Thirdly, if you feel FIN_WAIT2 is the cause of your problem, then you
> should consider adjusting the following sysctl:
> net.inet.tcp.finwait2_timeout
> Try something like 15000 (15 seconds) instead of the default (60000).

Ok that seems to be doing something. Will report back later.

> Finally, why are you using dynamic firewall rules at all?

So that I can identify legitimate(ish) traffic and drop the rest.

> For what purpose do you need these that, say, pf and its state
> tracking would not suffice?

I haven't used pf. I started with ipfw and its done the trick so far.
What's the difference between pf and ipfw's state tracking in this

More information about the freebsd-stable mailing list