Date: Tue, 17 Apr 2012 12:58:54 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: Kevin Oberman <kob6558@gmail.com> Cc: freebsd-net@freebsd.org, "Dmitry S. Kasterin" <dmk.sbor@gmail.com> Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states Message-ID: <CAHu1Y72HG00_yv0wyk_7rRC1bb0SNa%2BcEOoXZTALV6bkBj207g@mail.gmail.com> In-Reply-To: <CAN6yY1uRrfv0Bdeb%2Btosna8O8ajD_H1j7N=akL7PS8XC3X09qA@mail.gmail.com> References: <CAJkxAbyMEYZ4pYu=z4Sfwdqtzh=PjhHE4qrbSsyL34YE9TnXZQ@mail.gmail.com> <CAJkxAbyi7hx9Dugtw5-Md1y77JRzOu3bygS8ntfQg%2Bkw1KZ63w@mail.gmail.com> <CAN6yY1uRrfv0Bdeb%2Btosna8O8ajD_H1j7N=akL7PS8XC3X09qA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 17, 2012 at 12:48 PM, Kevin Oberman <kob6558@gmail.com> wrote: > > But I do have to ask why you find statefull rules for outgoing TCP > connections desirable? Why not: > 00101 allow tcp from me to any established > > It's useful and appropriate to have outbound connections be stateful. It's not a good idea to have inbound connections stateful, as it makes it easy to fill up the state table. To the OP: Look at the kernel tunables: net.inet.ip.fw.dyn_rst_lifetime net.inet.ip.fw.dyn_fin_lifetime net.inet.ip.fw.dyn_syn_lifetime net.inet.ip.fw.dyn_ack_lifetime
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y72HG00_yv0wyk_7rRC1bb0SNa%2BcEOoXZTALV6bkBj207g>