too many dynamic rules

Axel Scheepers axel at axel.truedestiny.net
Fri Sep 24 08:50:05 PDT 2004 

Hello,
The man page of ipfw says:
	net.inet.ip.fw.dyn_buckets: 256

     	net.inet.ip.fw.curr_dyn_buckets: 256
             The configured and current size of the hash table used to hold
             dynamic rules.  This must be a power of 2.  The table can only be
             resized when empty, so in order to resize it on the fly you will
             probably have to flush and reload the ruleset.

These are the standard kernel variabeles for the hash table size, In your config you should
increase these values until you don't get the messages anymore.
But, It wont't do any harm to look with tcpdump what is causing the state table to overflow,
since these rules should be discarded after a while, and it looks like that doesn't happen.
I myself use ipf/ipnat so I'm not so familliar with ipfw ruleset, maybe someone can find
something weird in these what is causing that ?

You can set these values using sysctl -w net.inet.ip.fw.dyn_buckets=<your value here> and
sysctl -w net.inet.ip.fw.curr_dyn_buckets=<your value here>. Keep in mind that this can't 
be done when the firewall is running, so you should flush it first, apply the changes and load
the rules again.

Hope this helps,
Axel

On Thu, Nov 08, 2001 at 08:12:07PM +0000, setantae wrote:
> Date: Thu, 8 Nov 2001 20:12:07 +0000
> From: setantae <setantae at submonkey.net>
> To: questions at freebsd.org, security at freebsd.org
> Subject: too many dynamic rules
> 
> 
> Can't find anything in the archives at MARC, and not sure which list
> I should be talking to, so please set followups appropriately if it
> bothers you.
> 
> For approximately 18 seconds today my firewall went apesh*t 
>  (these are all relevant entries) :
> 
> Nov  8 14:47:45 rhadamanth /kernel: Too many dynamic rules, sorry
> Nov  8 14:47:45 rhadamanth natd[218]: failed to write packet back (Permission denied)
Stripped down a bit ...
> 
> At the time there was only one user logged onto the box, and no clients
> behind the firewall - unfortunately I have no idea what I was doing at the
> time, although I have been upgrading older ports today (cannot find any
> files that were created at the times above though).
> 
> This box is a dual piii-866 with 512mb of ram, doesn't do much and
> has maxusers set to 128.
> 
> The other interesting thing is that although dynamic rules are still being
> created (since I can access stuff from another box on the LAN),
> ipfw -at l no longer shows them.
> 

The Ruleset:
> 
> ## Deny fragments
> add 00105 deny all from any to any frag
> 
> #### 	00110 Unprotect the LAN interface
> add 00110 allow all from any to any via dc0
> 
> ####	00200 Stop RFC 1918 traffic
> #add 00201 pass udp from 172.16.0.0/12 to any 68 in via ed0
> #add 00201 pass udp from 172.17.39.254 to any 68 in via ed0
> 
> add 00202 deny log all from any to 10.0.0.0/8
> add 00203 deny log all from 10.0.0.0/8 to any
> 
> add 00204 deny log all from any to 172.16.0.0/12
> add 00205 deny log all from 172.16.0.0/12 to any
> 
> #add 00206 deny log all from 192.168.0.0/16 to any in via ed0
> #add 00207 deny log all from any to 192.168.0.0/16 in via ed0
> 
> add 00206 divert natd all from any to any via ed0
> 
> add 00207 pass all from 192.168.10.0/24 to any via ed0
> add 00208 pass all from any to 192.168.10.0/24 via ed0
> add 00209 deny log all from any to 192.168.0.0/16 via ed0
> add 00210 deny log all from 192.168.0.0/16 to any via ed0
> 
> ####	00400 Check state and allow tcp connections created by us.
> add 00400 check-state
> add 00401 allow tcp from any to any out keep-state
> #add 00402 deny log tcp from any to any in established
> add 00403 allow udp from any to any 53 keep-state
> add 00404 allow udp from any to any out
> 
> ##NTP
> add 00421 allow udp from 130.88.200.98 123 to any
> add 00422 allow udp from 130.88.203.12 123 to any
> 
> ####    00500 DHCP stuff
> add 00501 allow udp from 62.252.32.3 to any 68 in via ed0
> 
> ####	00600 ICMP stuff
> # path-mtu
> add 00600 allow icmp from any to any icmptypes 3
> # source quench
> add 00601 allow icmp from any to any icmptypes 4
> #ping
> add 00602 allow icmp from any to any icmptypes 8 out
> add 00603 allow icmp from any to any icmptypes 0 in
> #traceroute
> add 00604 allow icmp from any to any icmptypes 11 in
> 
> ####	00700 Services we want to make available.
> add 00701 allow tcp from any to any 22
> add 00702 allow tcp from 194.168.4.200 to any 113
> #add 00703 allow tcp from any to any 21 out
> 
> ####	65000 And deny everything else.
> add 65007 deny log ip from any to any


-- 
Axel Scheepers
UNIX System Administrator

email: axel at axel.truedestiny.net
       ascheepers at vianetworks.nl
http://axel.truedestiny.net/~axel
------------------------------------------
In America, any boy may become president and I suppose that's just one
of the risks he takes.
		-- Adlai Stevenson
------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 466 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040924/e2fb3a6f/attachment.bin

More information about the freebsd-questions mailing list