Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 2 Nov 2011 09:46:51 -0700
From:      Michael Sierchio <kudzu@tenebras.com>
To:        Tim Gustafson <tjg@soe.ucsc.edu>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: IPFW Problems
Message-ID:  <CAHu1Y71WUyONR5ACurNNZVctdvj3s3a5ng6KfvFeAdMaYEep=Q@mail.gmail.com>
In-Reply-To: <1048019764.24079.1320248771403.JavaMail.root@mail-01.cse.ucsc.edu>
References:  <1335821625.24060.1320248576610.JavaMail.root@mail-01.cse.ucsc.edu> <1048019764.24079.1320248771403.JavaMail.root@mail-01.cse.ucsc.edu>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, Nov 2, 2011 at 8:46 AM, Tim Gustafson <tjg@soe.ucsc.edu> wrote:


> What I've been noticing is that the web server is accumulating a large nu=
mber of dynamic rules that are not going away...

> Can anyone help me understand what is going on here? =A0Have I found some=
 sort of bug, or do I have my firewall incorrectly configured?

You may want to tweak the sysctl items that control the lifespan of
dynamic rules.

sysctl net.inet.ip.fw

in particular, the default value of net.inet.ip.fw.dyn_ack_lifetime is
probably way too long for your purposes.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAHu1Y71WUyONR5ACurNNZVctdvj3s3a5ng6KfvFeAdMaYEep=Q>