ipfw: Too many dynamic rules

Gareth de Vaux bsd at lordcow.org
Wed Sep 15 14:24:28 UTC 2010

On Tue 2010-09-14 (13:54), Gareth de Vaux wrote:
> On Tue 2010-09-14 (04:30), Jeremy Chadwick wrote:
> > Regarding net.inet.tcp.finwait2_timeout=15000 -- you don't see any
> > improvement at all?  That's a bit strange.  There's probably something
> If there was an improvement it was subtle (I was doing sporadic
> measurements), just that in the end my firewall was getting overloaded
> either way.

Yeah looks like a bit of an improvement but I also wasn't controlling for
end user usage so can't say for sure without rerunning.

Setting net.inet.tcp.fast_finwait2_recycle=1 though seems to have done the
trick, thanx. This is now typical:

$ netstat -n | grep -c FIN_WAIT_2

and my server still seems to be serving.

More information about the freebsd-stable mailing list