Re: [FUG-BR] check-state / keep-state / lifetime

[Ricardo A. Reis [Link Permanente]]

Em Seg, 2005-12-12 às 15:23 -0300, Thiago Esteves escreveu:
>  Bom eu uso o ipfw como meu firewall, estou usando  keep-state e check-state, 
>  gostaria de saber  quais os valores + ou - seguros hoje  para essas sysctls:
>   
>  net.inet.ip.fw.dyn_ack_lifetime:  xx
>  net.inet.ip.fw.dyn_syn_lifetime:  xx
>  net.inet.ip.fw.dyn_fin_lifetime:  xx
>  net.inet.ip.fw.dyn_rst_lifetime:  xx
>  net.inet.ip.fw.dyn_short_lifetime:  xx
>  
>  xx =  lifetime

Sei que nao e' bem a resposta, mais uma das coisas que me levo a trocar
de firewall em alguns servidores para PF foi o uso de adaptive timeout.


man pf.conf
...................
  Timeout values can be reduced adaptively as the number of state ta-
           ble entries grows.

           adaptive.start
                 When the number of state entries exceeds this value, adaptive
                 scaling begins.  All timeout values are scaled linearly with
                 factor (adaptive.end - number of states) / (adaptive.end -
                 adaptive.start).
           adaptive.end
                 When reaching this number of state entries, all timeout val-
                 ues become zero, effectively purging all state entries imme-
                 diately.  This value is used to define the scale factor, it
                 should not actually be reached (set a lower state limit, see
                 below).
.........................




Atenciosamente

Ricardo A. Reis
UNIFESP
Unix and Network Admin


        

        
                
_______________________________________________________ 
Yahoo! doce lar. Faça do Yahoo! sua homepage. 
http://br.yahoo.com/homepageset.html 



_______________________________________________
Freebsd mailing list
Freebsd@xxxxxxxxxx
http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br