Re: Proper Port Forwarding

2012-06-07 Thread Ian Smith
In freebsd-questions Digest, Vol 418, Issue 10, Message: 7 On Wed, 06 Jun 2012 14:31:24 -0400 Simon si...@optinet.com wrote: Can someone suggest an alternative/proper way to port forward using ipfw. Right now I have the following and some bad clients cause too many FIN_WAIT_2 state

Re: Proper Port Forwarding

2012-06-07 Thread Michael Powell
Michael Sierchio wrote: On Wed, Jun 6, 2012 at 11:31 AM, Simon si...@optinet.com wrote: This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW stops forwarding using the rule above because of too many dynamic rules Change the defaults for the fw.dyn sysctl MIB nodes

Re: Proper Port Forwarding

2012-06-07 Thread Michael Sierchio
On Thu, Jun 7, 2012 at 10:15 AM, Michael Powell nightre...@hotmail.com wrote: There is also this you can place in /etc/sysctl.conf: net.inet.tcp.fast_finwait2_recycle=1 Good catch. The defaults are perhaps not ideal in all cases: net.inet.tcp.finwait2_timeout: 6 - ms, ten minutes

Re: Proper Port Forwarding

2012-06-07 Thread Michael Sierchio
On Thu, Jun 7, 2012 at 10:27 AM, Michael Sierchio ku...@tenebras.com wrote: net.inet.tcp.finwait2_timeout: 6  - ms, ten minutes I can't do arithmetic, but you get the idea. A full minute. ___ freebsd-questions@freebsd.org mailing list

Re: Proper Port Forwarding

2012-06-07 Thread Chuck Swiger
On Jun 7, 2012, at 10:29 AM, Michael Sierchio wrote: On Thu, Jun 7, 2012 at 10:27 AM, Michael Sierchio ku...@tenebras.com wrote: net.inet.tcp.finwait2_timeout: 6 - ms, ten minutes I can't do arithmetic, but you get the idea. A full minute. Yes; that's already shorter than possible

Proper Port Forwarding

2012-06-06 Thread Simon
Hi, Can someone suggest an alternative/proper way to port forward using ipfw. Right now I have the following and some bad clients cause too many FIN_WAIT_2 state fwd IP,PORT2 tcp from any to me dst-port PORT1 keep-state This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW

Re: Proper Port Forwarding

2012-06-06 Thread Michael Sierchio
On Wed, Jun 6, 2012 at 11:31 AM, Simon si...@optinet.com wrote: This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW stops forwarding using the rule above because of too many dynamic rules Change the defaults for the fw.dyn sysctl MIB nodes to something like

Re: Proper Port Forwarding

2012-06-06 Thread Dan Nelson
In the last episode (Jun 06), Michael Sierchio said: On Wed, Jun 6, 2012 at 11:31 AM, Simon si...@optinet.com wrote: This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW stops forwarding using the rule above because of too many dynamic rules Change the defaults for