IPFW | Too many dynamic rules?

Michael Sierchio kudzu at tenebras.com
Fri Jan 22 00:30:04 UTC 2021


This is affected by a number of things.  You ruleset may be faulty, and you
may be instantiating dynamic rules when a matching state exists.  You may
need to separate inbound and outbound traffic in your ruleset.  Do you have
a check-state rule early in the ruleset?

The lifetime of dynamic rules is, by default, way too long.  See my values
below.  In my world, udp is primarily used for DNS queries.  3 seconds is a
very long time. A short dyn_ack_lifetime relies on keepalives (in SSH, for
example).

net.inet.ip.fw.dyn_short_lifetime: 3

net.inet.ip.fw.dyn_udp_lifetime: 3

net.inet.ip.fw.dyn_rst_lifetime: 2

net.inet.ip.fw.dyn_fin_lifetime: 1

net.inet.ip.fw.dyn_syn_lifetime: 9

net.inet.ip.fw.dyn_ack_lifetime: 300

net.inet.ip.fw.dyn_parent_max: 4096

net.inet.ip.fw.dyn_max: 4096

net.inet.ip.fw.dyn_buckets: 2048



On Thu, Jan 21, 2021 at 3:15 PM Jos Chrispijn <bsduser at cloudzeeland.nl>
wrote:

> Just ran into this matter (never experienced it until now):
>
> "Cannot allocate dynamic state, consider increasing net.inet.ip.fw.dyn_max"
>
> - What can be the cause of this sudden incident?
> - Look like ipfw is suddenly processing too many rules?
>
> Do I have to increase that in /etc/sysctl.conf and with what numbers can
> I do that best (depending on my BSD configuration or what is the usual
> formule on this)?
>
> Thanks, Jos
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>


-- 

"Well," Brahmā said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mahābhārata


More information about the freebsd-questions mailing list