kernel: drop session, too many entries - errors with statefull ipfw
- still looking
Brian
bbayorgeon at new.rr.com
Sun Jan 30 22:07:11 PST 2005
Still trying to figure this one out. Any help will
be appreciated.
Thanks
Brian
> previously posted
Trying to find the source of the following error messages.
It is not quite obvious why I am getting so many dynamic
rules. This is a small private home LAN with
FreeBSD 5.3-RELEASE.
These errors can crop up even during times when no one is cruising the
internet on the various clients.
I even boosted 'net.inet.ip.fw.dyn_max: 15000' and still happens
Any thoughts would be appreciated.
Thanks
Brian
LOG FILE
Jan 25 19:12:36 xx kernel: drop session, too many entries
Jan 25 19:13:46 xx kernel: drop session, too many entries
Jan 25 19:16:26 xx last message repeated 2 times
Jan 25 19:33:58 xx last message repeated 5 times
Jan 25 20:01:55 xx kernel: drop session, too many entries
Jan 25 20:01:58 xx kernel: drop session, too many entries
Jan 25 20:03:15 xx kernel: drop session, too many entries
Jan 25 20:12:00 xx last message repeated 3 times
Jan 26 08:41:10 xx kernel: drop session, too many entries
Jan 26 10:46:37 xx kernel: drop session, too many entries
Jan 26 10:46:45 xx kernel: drop session, too many entries
SYSCTL OUTPUT
sysctl -a | grep ip.fw
net.inet.ip.fw.enable: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 1
net.inet.ip.fw.verbose_limit: 100
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 0
net.inet.ip.fw.dyn_max: 15000
net.inet.ip.fw.static_count: 47
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_keepalive: 1
ipfw show output
00002 95 15384 allow ip from any to any via de0
00003 0 0 allow ip from any to any via lo0
00100 1 338 divert 8668 ip from any to any in via ex0
00101 0 0 check-state
00120 0 0 skipto 500 udp from any to any dst-port 53 out via ex0
keep-state
00122 0 0 skipto 500 log logamount 1000 udp from any to 10.x.x.x
dst-port 67 out via keep-state
00125 0 0 skipto 500 tcp from any to any dst-port
22,25,43,80,443,110,119,11000-12000 out via ex0 setup keep-state
00130 0 0 skipto 500 icmp from any to any out via ex0 keep-state
00135 0 0 skipto 500 log logamount 1000 udp from any to any
dst-port 123 out via ex0 keep-state
00150 1 338 allow log logamount 1000 udp from 10.x.x.x to any
dst-port 68 in via ex0 keep-state
00300 0 0 deny log logamount 1000 ip from 192.168.0.0/16 to any in
via ex0
00301 0 0 deny log logamount 1000 ip from 172.16.0.0/12 to any in
via ex0
00302 0 0 deny log logamount 1000 ip from 10.0.0.0/8 to any in via
ex0
00303 0 0 deny log logamount 1000 ip from 127.0.0.0/8 to any in
via ex0
00304 0 0 deny log logamount 1000 ip from 0.0.0.0/8 to any in via
ex0
00305 0 0 deny log logamount 1000 ip from 169.254.0.0/16 to any in
via ex0
00306 0 0 deny log logamount 1000 ip from 192.0.2.0/24 to any in
via ex0
00307 0 0 deny log logamount 1000 ip from 204.152.64.0/23 to any
in via ex0
00308 0 0 deny log logamount 1000 ip from 224.0.0.0/3 to any in
via ex0
00310 0 0 deny log logamount 1000 tcp from any to any dst-port 113
in via ex0
00311 0 0 deny log logamount 1000 icmp from any to any in via ex0
icmptypes 8
00315 0 0 deny log logamount 1000 ip from any to any in frag
00320 0 0 deny log logamount 1000 tcp from any to any dst-port
137,138,139,81 in via ex0
00330 0 0 deny log logamount 1000 ip from any to any frag in via
ex0
00340 0 0 deny log logamount 1000 tcp from any to any established
in via ex0
00420 0 0 allow log logamount 1000 tcp from any to me dst-port 80
in via ex0 setup limit src-addr 2
00421 0 0 allow log logamount 1000 tcp from any to me dst-port 22
in via ex0 setup limit src-addr 2
00450 0 0 deny log logamount 10000 ip from any to any
00500 0 0 divert 8668 ip from any to any out via ex0
00510 0 0 allow ip from any to any
00999 0 0 deny log logamount 1000 ip from any to any
65535 112 9464 allow ip from any to any
More information about the freebsd-questions
mailing list