IPFW | Too many dynamic rules?

Michael Sierchio kudzu at tenebras.com
Fri Jan 22 00:58:58 UTC 2021


On Thu, Jan 21, 2021 at 4:45 PM Jos Chrispijn <bsduser at cloudzeeland.nl>
wrote:

> Op 22-1-21 om 1:29 schreef Michael Sierchio:
> > This is affected by a number of things.  You ruleset may be faulty, and
> you
> > may be instantiating dynamic rules when a matching state exists.  You may
> > need to separate inbound and outbound traffic in your ruleset.  Do you
> have
> > a check-state rule early in the ruleset?
>
> Yes, I do (half way my ruleset.
> Should I move that line to the top you mean?
>

It depends. ;-).  Near the top.  Dynamic rules get checked whenever you
reach the check-state, or the first keep-state rule with the same tag (if
you don't use a tag, the :default is used).  ipfw rulesets can be subtle.
More so if nat is involved.


> > The lifetime of dynamic rules is, by default, way too long.  See my
> values
> > below.  In my world, udp is primarily used for DNS queries.  3 seconds
> is a
> > very long time. A short dyn_ack_lifetime relies on keepalives (in SSH,
> for
> > example).
>
> So I should decrease my numbers, following your's and the issue will be
> solved?
>

I am hesitant to claim that it will solve your problem, but I doubt it can
hurt.  Yes, those are the values in /etc/sysctl.conf


>
> Are these also in your /etc/sysctl.conf?
>
> > net.inet.ip.fw.dyn_short_lifetime: 3
> > net.inet.ip.fw.dyn_udp_lifetime: 3
> > net.inet.ip.fw.dyn_rst_lifetime: 2
> > net.inet.ip.fw.dyn_fin_lifetime: 1
> > net.inet.ip.fw.dyn_syn_lifetime: 9
> > net.inet.ip.fw.dyn_ack_lifetime: 300
> > net.inet.ip.fw.dyn_parent_max: 4096
> > net.inet.ip.fw.dyn_max: 4096
> > net.inet.ip.fw.dyn_buckets: 2048
>
> Nub online, sorry.
>

No apologies required or accepted. ;-).  This is sometimes an arcane topic.

>
> Best, Jos
>

Vell succes!

– M

-- 

"Well," Brahmā said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mahābhārata


More information about the freebsd-questions mailing list