ipfw: Too many dynamic rules
Ivan Voras
ivoras at freebsd.org
Fri Sep 10 12:08:20 UTC 2010
On 09/09/10 17:39, Gareth de Vaux wrote:
> Hi again, I use some keep-state rules in ipfw, but get the following
> kernel message:
>
> kernel: ipfw: install_state: Too many dynamic rules
>
> when presumably my state table reaches its limit (and I effectively
> get DoS'd).
>
> netstat shows tons of connections in FIN_WAIT_2 state, mostly to
> my webserver. Consequently net.inet.ip.fw.dyn_count is large too.
>
> I can increase my net.inet.ip.fw.dyn_max but the new limit will
> simply be reached later on.
For what it's worth, here's what I've been running:
net.inet.ip.fw.dyn_buckets=1024
net.inet.ip.fw.dyn_max=8192
net.inet.ip.fw.dyn_ack_lifetime=60
If in a tight spot, I might reduce dyn_ack_lifetime to 10.
There is no way this machine would service 8192 legitimate simultaneous
connections so this works for me. If you have the memory I think you can
increase dyn_max practically arbitrarily. If under a DDoS attack, you
might run out of some other resource, like ephemeral TCP ports for the
server side of connections, before running out of ipfw entries.
More information about the freebsd-stable
mailing list