Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Feb 2007 11:40:14 -0500
From:      Chuck Swiger <cswiger@mac.com>
To:        Grant Peel <gpeel@thenetnow.com>
Cc:        Tek Bahadur Limbu <teklimbu@wlink.com.np>, freebsd-questions@freebsd.org
Subject:   Re: Fw: FIN_WAIT_2
Message-ID:  <45E30D6E.5090102@mac.com>
In-Reply-To: <00d501c759b8$b7dc4870$6501a8c0@GRANT>
References:  <00aa01c758c6$f8dadb90$6501a8c0@GRANT> <20070225193804.19bc9280.teklimbu@wlink.com.np> <00d501c759b8$b7dc4870$6501a8c0@GRANT>

next in thread | previous in thread | raw e-mail | index | archive | help
Grant Peel wrote:
[ ... ]
> sysctl net.inet.ip.fw.dyn_keepalive=0
> 
> and in about 10 minutes all FIN_WAIT_2 's dissappear. (well almost all).
> 
> I expect it virtually shut down dynamic rules too in ipfw, but I have 
> been reading more and more that people are saying don't use dynamics on 
> a busy site. Anyone care to comment.

That's some interesting feedback.  There's probably another tunable for how 
long IPFW dynamic rules are supposed to persist by default.

In answer to your closing remark, I would attempt to configure static rules 
for known-permitted services, especially the most commonly used ones, and rely 
on dynamic rules only for ad-hoc internal traffic, and not for inbound client 
requests.

-- 
-Chuck




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45E30D6E.5090102>