Michael Sierchio wrote: > On Wed, Jun 6, 2012 at 11:31 AM, Simon <si...@optinet.com> wrote: > >> This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW >> stops forwarding using the rule above because of "too many dynamic rules" > > Change the defaults for the fw.dyn sysctl MIB nodes > > to something like > > net.inet.ip.fw.dyn_short_lifetime=3 > net.inet.ip.fw.dyn_udp_lifetime=3 > net.inet.ip.fw.dyn_rst_lifetime=1 > net.inet.ip.fw.dyn_fin_lifetime=1 > net.inet.ip.fw.dyn_syn_lifetime=10
There is also this you can place in /etc/sysctl.conf: net.inet.tcp.fast_finwait2_recycle=1 I do this for my web servers. It helps reduce the volume somewhat of FIN_WAIT_2 from building up by expiring them sooner. -Mike _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
