IPFW Questions.

[Lowell Gilbert]

"Grant Peel" <gpeel at thenetnow.com> writes:

> I was wondering what the concensus is on using dynamic rules in IPFW. Every once in a while, I suppose there is a DoS attaclk that causes me to see hundreds of:
>
> +ipfw: install_state: Too many dynamic rules
>
> in my security log.
>
> I am sure i read somewhere that many people are skipping the dynamic rules and just relying on the line by line rules.
>
> You thoughts please.

You shouldn't allow people outside the network to invoke a dynamic
rule; that's a limited resource that they can overwhelm, as you see.
Usual practice is to set up state only on already-confirmed
connections; in my case, that means only outbound packets that didn't
match any previous state.

> Any while your up, does anyone really know what this means?
>
> ipfw: pullup failed
>
> I dont see that often maybe 1 or 2 times a month.

A "pullup" is just advancing deeper into the packet.  If it failed,
that probably means the packet was too short.

Truncated packets can happen for a number of benign reasons, but if
they happen frequently they're probably a sign of a problem in your
network equipment.  By "frequently" I mean several orders of magnitude
more than you're seeing them.  Don't worry about it.