Too many dynamic rules, sorry
Norm Vilmer
norm at etherealconsulting.com
Fri Sep 17 08:30:08 PDT 2004
Micheal Patterson wrote:
>
> .
>
>
> ----- Original Message -----
> From: "Norm Vilmer" <norm at etherealconsulting.com>
> To: "Micheal Patterson" <micheal at tsgincorporated.com>
> Cc: <freebsd-questions at freebsd.org>
> Sent: Friday, September 17, 2004 9:41 AM
> Subject: Re: Too many dynamic rules, sorry
>
>
>
>>Micheal Patterson wrote:
>>
>>>.
>>>
>>>
>>>----- Original Message ----- From: "Norm Vilmer"
>>><norm at etherealconsulting.com>
>>>To: <freebsd-questions at freebsd.org>
>>>Sent: Thursday, September 16, 2004 11:57 PM
>>>Subject: Too many dynamic rules, sorry
>>>
>>>
>>>
>>>>If I repeatedly nmap my FreeBSD 4.10 machine configured with
>
> ipfirewall,
>
>>>>I get the message "Too many dynamic rules, sorry". Doing a sysctl -a
>>>>|grep ip.fw I can see the the net.inet.ip.fw.dyn_count has reached the
>>>>max value of 8192 that I set. The net.inet.ip.fw.dyn_ack_lifetime is
>
> set
>
>>>>to 300, so the dynamic rule count starts going down after about 5
>>>>minutes after the simulated attack.
>>>>
>>>>Questions:
>>>>
>>>>When this happens, if my firewall still fully operational, in other
>>>>words can I safely ignore this message?
>>>>
>>>>Is there a way to fix this?
>>>>
>>>
>>>
>>>The error "Too many dynamic rules, sorry" will cause the system to drop
>>>any packets that are covered by a keep-state entry. So, the firewall,
>>>while operational, is in a dead lock down state for any outbound traffic
>>>until the dynamic rules clear out. I'm hoping that you're checking the
>>>system with nmap from behind it, because if your outside the firewall,
>>>then you're keeping state in inbound traffic and that's bad. You only
>>>want keep-state from traffic leaving that system, not to it.
>>>
>>>--
>>>
>>>Micheal Patterson
>>>TSG Network Administration
>>>405-917-0600
>>>
>>>Confidentiality Notice: This e-mail message, including any attachments,
>>>is for the sole use of the intended recipient(s) and may contain
>>>confidential and privileged information. Any unauthorized review, use,
>>>disclosure or distribution is prohibited. If you are not the intended
>>>recipient, please contact the sender by reply e-mail and destroy all
>>>copies of the original message
>>>_______________________________________________
>>>freebsd-questions at freebsd.org mailing list
>>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>To unsubscribe, send any mail to
>>>"freebsd-questions-unsubscribe at freebsd.org"
>>>
>>
>>Thanks for your help.
>>
>>I was running nmap against my public or outside interface. This is my
>>first FreeBSD firewall, so I am sure my rules are not optimal, however,
>>the firewall appears to be doing what I want. I gathered these rules
>>from a number of how-to's and postings on the web with only a partial
>>understanding of what they actually do (yes, I know, problem # 1).
>>Here are the rules that I have that keep-state on the outside interface:
>>
>>#For DNS
>>add 01300 pass udp from ${oip} to any 53 keep-state
>># For NTP
>>add 01400 pass udp from ${oip} to any 123 keep-state
>># For VPN
>>add 01500 pass gre from any to any keep-state
>># For ICMP
>>add 01600 pass icmp from any to any via ${oip} keep-state
>>
>>Do you think these are causing the problem?
>>
>>Norm Vilmer
>
>
> I don't recall if you're running ipfilter or ipfw on that system. I don't
> know ipfilter well enough to assist yet, but with ipfw, if you have a
> check-state entry above your keep-states, that may reduce the amount of
> dynamic rule entries that you'll have. What the check-state does, is to
> check the dynamic list, if an entry already exists, it stops processing
> rules there.
>
> --
>
> Micheal Patterson
> TSG Network Administration
> 405-917-0600
>
> Confidentiality Notice: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all
> copies of the original message
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
I do have a check-state rule
add 00200 check-state
Norm Vilmer
More information about the freebsd-questions
mailing list