Too many dynamic rules

Ivan Voras ivoras at
Tue Nov 13 14:33:15 UTC 2012

On 13/11/2012 03:23, Dan Nelson wrote:
> In the last episode (Nov 12), Darrel said:
>> Hello,
>> Today I booted r242670 from the console and noticed an error.  This
>> is one line from the end of dmesg:
>> ipfw: ipfw_install_state: Too many dynamic rules
>> The ruleset has always been dynamic and has no additional rules.
>> Search engines produced similar error messages, but no information
>> that seems to be the correct solution.
>> I have a basically identical ruleset on fbsd91 and no error message.
> That means that the dynamic rules generated by the keep-state keyword hit
> the currently-confgured limit.  If you get hit with a lot of random traffic
> that matches a keep-state rule, you'll get that message.  It's not the rules
> themselves that cause this, it's the traffic.
> Run "sysctl net.inet.ip.fw.dyn_max net.inet.ip.fw.dyn_count" and compare the
> two values.  If count is near to dyn_max, you can simply raise dyn_max. 
> It's a writeable sysctl.  I set it to 65535 on my systems in
> /etc/sysctl.conf with no apparent ill effects.

I have huge problems with the default settings, and I beat them down
with the following:


I also add these, though I don't think they help this particular problem:


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-current mailing list