Date: Wed, 2 Nov 2011 09:56:42 -0700 (PDT) From: Tim Gustafson <tjg@soe.ucsc.edu> To: Michael Sierchio <kudzu@tenebras.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW Problems Message-ID: <1475430265.24464.1320253002379.JavaMail.root@mail-01.cse.ucsc.edu> In-Reply-To: <CAHu1Y71WUyONR5ACurNNZVctdvj3s3a5ng6KfvFeAdMaYEep=Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> You may want to tweak the sysctl items that control the lifespan > of dynamic rules. > > sysctl net.inet.ip.fw > > in particular, the default value of net.inet.ip.fw.dyn_ack_lifetime > is probably way too long for your purposes. Here's what I have right now: root@bsd-02: sysctl net.inet.ip.fw net.inet.ip.fw.static_count: 48 net.inet.ip.fw.default_to_accept: 0 net.inet.ip.fw.tables_max: 128 net.inet.ip.fw.default_rule: 65535 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.verbose: 0 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.enable: 1 net.inet.ip.fw.dyn_keepalive: 1 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_max: 32768 net.inet.ip.fw.dyn_count: 805 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_buckets: 256 I'm assuming that's in seconds. Is 300 seconds too long? It seems like the dynamic rules are hanging around for hours or days, and I think the timeout is getting reset by the fact that the system is constantly sending out ACK packets to clients that aren't acknowledging them. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Tim Gustafson tjg@soe.ucsc.edu Baskin School of Engineering 831-459-5354 UC Santa Cruz Baskin Engineering 317B -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1475430265.24464.1320253002379.JavaMail.root>