IPFW | Too many dynamic rules?
Jos Chrispijn
bsduser at cloudzeeland.nl
Fri Jan 22 00:45:45 UTC 2021
Op 22-1-21 om 1:29 schreef Michael Sierchio:
> This is affected by a number of things. You ruleset may be faulty, and you
> may be instantiating dynamic rules when a matching state exists. You may
> need to separate inbound and outbound traffic in your ruleset. Do you have
> a check-state rule early in the ruleset?
Yes, I do (half way my ruleset.
Should I move that line to the top you mean?
> The lifetime of dynamic rules is, by default, way too long. See my values
> below. In my world, udp is primarily used for DNS queries. 3 seconds is a
> very long time. A short dyn_ack_lifetime relies on keepalives (in SSH, for
> example).
So I should decrease my numbers, following your's and the issue will be
solved?
Are these also in your /etc/sysctl.conf?
> net.inet.ip.fw.dyn_short_lifetime: 3
> net.inet.ip.fw.dyn_udp_lifetime: 3
> net.inet.ip.fw.dyn_rst_lifetime: 2
> net.inet.ip.fw.dyn_fin_lifetime: 1
> net.inet.ip.fw.dyn_syn_lifetime: 9
> net.inet.ip.fw.dyn_ack_lifetime: 300
> net.inet.ip.fw.dyn_parent_max: 4096
> net.inet.ip.fw.dyn_max: 4096
> net.inet.ip.fw.dyn_buckets: 2048
Nub online, sorry.
Best, Jos
More information about the freebsd-questions
mailing list