Re: Proper Port Forwarding
On Jun 7, 2012, at 10:29 AM, Michael Sierchio wrote: > On Thu, Jun 7, 2012 at 10:27 AM, Michael Sierchio wrote: >> net.inet.tcp.finwait2_timeout: 6 <- ms, ten minutes > > I can't do arithmetic, but you get the idea. A full minute. Yes; that's already shorter than possible MAXTTL value of packets, which can be anywhere up to 255 seconds (~= 5 minutes). Well, it's usually OK for a webserver to decide that it doesn't need to wait around for clients to properly shutdown their HTTP connections, but one might want to be more careful about zapping sockets early for HTTPS/SSL connections (ie, an online store doing a CC transaction or the like). Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Proper Port Forwarding
On Thu, Jun 7, 2012 at 10:27 AM, Michael Sierchio wrote: > net.inet.tcp.finwait2_timeout: 6 <- ms, ten minutes I can't do arithmetic, but you get the idea. A full minute. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Proper Port Forwarding
On Thu, Jun 7, 2012 at 10:15 AM, Michael Powell wrote: > There is also this you can place in /etc/sysctl.conf: > > net.inet.tcp.fast_finwait2_recycle=1 > Good catch. The defaults are perhaps not ideal in all cases: net.inet.tcp.finwait2_timeout: 6 <- ms, ten minutes net.inet.tcp.fast_finwait2_recycle: 0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Proper Port Forwarding
Michael Sierchio wrote: > On Wed, Jun 6, 2012 at 11:31 AM, Simon wrote: > >> This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW >> stops forwarding using the rule above because of "too many dynamic rules" > > Change the defaults for the fw.dyn sysctl MIB nodes > > to something like > > net.inet.ip.fw.dyn_short_lifetime=3 > net.inet.ip.fw.dyn_udp_lifetime=3 > net.inet.ip.fw.dyn_rst_lifetime=1 > net.inet.ip.fw.dyn_fin_lifetime=1 > net.inet.ip.fw.dyn_syn_lifetime=10 There is also this you can place in /etc/sysctl.conf: net.inet.tcp.fast_finwait2_recycle=1 I do this for my web servers. It helps reduce the volume somewhat of FIN_WAIT_2 from building up by expiring them sooner. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Proper Port Forwarding
In freebsd-questions Digest, Vol 418, Issue 10, Message: 7 On Wed, 06 Jun 2012 14:31:24 -0400 "Simon" wrote: > Can someone suggest an alternative/proper way to port forward using ipfw. > Right > now I have the following and some bad clients cause too many FIN_WAIT_2 state > > fwd IP,PORT2 tcp from any to me dst-port PORT1 keep-state > > This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW > stops forwarding using the rule above because of "too many dynamic rules" Michael's and Dan's suggestions of adjusting sysctl net.inet.ip.fw.dyn* variables are good; consider also using 'limit' instead of 'keep-state', which works the same except limiting the number of open connections to a specified number. See ipfw(8) /limit and /EXAMPLES for more, but eg: fwd IP,PORT2 tcp from any to me dst-port PORT1 limit src-addr 9 to prevent any one source address opening more than 9 connections, or fwd IP,PORT2 tcp from any to me dst-port PORT1 limit dst-port 42 to limit total open connections by everyone to dst-port PORT1 to 42. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Proper Port Forwarding
In the last episode (Jun 06), Michael Sierchio said: > On Wed, Jun 6, 2012 at 11:31 AM, Simon wrote: > > > This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW > > stops forwarding using the rule above because of "too many dynamic > > rules" > > Change the defaults for the fw.dyn sysctl MIB nodes > > to something like > > net.inet.ip.fw.dyn_short_lifetime=3 > net.inet.ip.fw.dyn_udp_lifetime=3 > net.inet.ip.fw.dyn_rst_lifetime=1 > net.inet.ip.fw.dyn_fin_lifetime=1 > net.inet.ip.fw.dyn_syn_lifetime=10 Or raise net.inet.ip.fw.dyn_max to a larger number. The default 4096 may be too small. -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Proper Port Forwarding
On Wed, Jun 6, 2012 at 11:31 AM, Simon wrote: > This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW > stops forwarding using the rule above because of "too many dynamic rules" Change the defaults for the fw.dyn sysctl MIB nodes to something like net.inet.ip.fw.dyn_short_lifetime=3 net.inet.ip.fw.dyn_udp_lifetime=3 net.inet.ip.fw.dyn_rst_lifetime=1 net.inet.ip.fw.dyn_fin_lifetime=1 net.inet.ip.fw.dyn_syn_lifetime=10 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
