:Yes, IPFW is running on the box. Why not?
:
:--
:Robert Blayzor, BOFH
:INOC, LLC
:[EMAIL PROTECTED]
:http://www.inoc.net/~rblayzor/
There's nothing wrong with running IPFW on the same box :-)
But, I think that rule change is masking the problem rather then solving
it. The keep-state is limited. The reason the number of dead connections
isn't going up is probably because IPFW is either hitting its keep-state
limit and dropping connections, or the connection becomes idle long
enough for IPFW to recycle the keep-state for it, also causing it to
drop.
Once the keep-state is lost that deny established rule will cause the
connection to fail.
I would be very careful with any type of ruleset (IPFW or PF) which
relies on keep-state. You can wind up causing legitimate connections
to drop if it isn't carefully tuned.
It might be a reasonable bandaid, though.
-Matt
Matthew Dillon
<[EMAIL PROTECTED]>
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
