Grant Peel wrote:
[ ... ]
sysctl net.inet.ip.fw.dyn_keepalive=0
and in about 10 minutes all FIN_WAIT_2 's dissappear. (well almost all).
I expect it virtually shut down dynamic rules too in ipfw, but I have
been reading more and more that people are saying don't use dynamics on
a busy site. Anyone care to comment.
That's some interesting feedback. There's probably another tunable for how
long IPFW dynamic rules are supposed to persist by default.
In answer to your closing remark, I would attempt to configure static rules
for known-permitted services, especially the most commonly used ones, and rely
on dynamic rules only for ad-hoc internal traffic, and not for inbound client
requests.
--
-Chuck
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
