Too many dynamic rules, sorry

Micheal Patterson micheal at
Thu Sep 16 22:26:05 PDT 2004


----- Original Message ----- 
From: "Norm Vilmer" <norm at>
To: <freebsd-questions at>
Sent: Thursday, September 16, 2004 11:57 PM
Subject: Too many dynamic rules, sorry

> If I repeatedly nmap my FreeBSD 4.10 machine configured with 
> ipfirewall,
> I get the message "Too many dynamic rules, sorry". Doing a sysctl -a
> |grep ip.fw I can see the the net.inet.ip.fw.dyn_count has reached the
> max value of 8192 that I set. The net.inet.ip.fw.dyn_ack_lifetime is 
> set
> to 300, so the dynamic rule count starts going down after about 5
> minutes after the simulated attack.
> Questions:
> When this happens, if my firewall still fully operational, in other
> words can I safely ignore this message?
> Is there a way to fix this?

The error "Too many dynamic rules, sorry" will cause the system to drop 
any packets that are covered by a keep-state entry. So, the firewall, 
while operational, is in a dead lock down state for any outbound traffic 
until the dynamic rules clear out. I'm hoping that you're checking the 
system with nmap from behind it, because if your outside the firewall, 
then you're keeping state in inbound traffic and that's bad. You only 
want keep-state from traffic leaving that system, not to it.


Micheal Patterson
TSG Network Administration

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message 

More information about the freebsd-questions mailing list