On Thu 2010-09-09 (09:20), Jeremy Chadwick wrote: > Secondly, I'm fairly certain HTTP KeepAlive (re: KeepAliveTimeout) are > unrelated to TCP keepalives[1]. I mention this because you're focusing > on netstat, which will give you indication of TCP session state, not > HTTP protocol statefulness.
Gotcha > Thirdly, if you feel FIN_WAIT2 is the cause of your problem, then you > should consider adjusting the following sysctl: > > net.inet.tcp.finwait2_timeout > > Try something like 15000 (15 seconds) instead of the default (60000). Ok that seems to be doing something. Will report back later. > Finally, why are you using dynamic firewall rules at all? So that I can identify legitimate(ish) traffic and drop the rest. > For what purpose do you need these that, say, pf and its state > tracking would not suffice? I haven't used pf. I started with ipfw and its done the trick so far. What's the difference between pf and ipfw's state tracking in this respect? _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
