[ipfw] Dynamic rules grow indefinitely..
adrenalinup at gmail.com
Sat Dec 9 07:59:16 PST 2006
It is a web server with ~130req/s, problems seem to start after
upgrading to a new hardware.
ipfw -d list | wc -l
After a hour it will grow more and more.. The day before yesterday I
got 20 000 dynamic rules ;o) (I was forced to increase
net.inet.ip.fw.dyn_max because I start to got errors in syslogs).
To reset them I was forced to flush and reload all rules..
Also in some strange way, random ips get banned ;] I suspect this is
because of that bug in dynamic list because after flush, with the same
rules all works right.
Here is my firewall rules: http://pastebin.ca/273074
Kernel config: http://pastebin.ca/273077
In kernell Enabled: ULE scheduler(I read somewhere what mysql works
better with it)), option IPFIREWALL
Disabed: INET6, NFS*, COMPAT_FREEBSD4, COMPAT_FREEBSD5,
Also I get lots of 0s in ipfw -d list
00160 0 0 (0s) PARENT 5 tcp 188.8.131.52 0 <-> 0.0.0.0 0
00160 0 0 (0s) PARENT 1 tcp 184.108.40.206 0 <-> 0.0.0.0 0
00160 0 0 (0s) PARENT 3 tcp 220.127.116.11 0 <-> 0.0.0.0 0
Currently from 4363, 646 is with (0s).. Is that normal ? (I have very
small experience and don't have acces to another server to see if it's
normal or not..)
By the way, what mean "3" from "PARENT 3" ?
Here is a dump of ipfw -d list with 6410 dynamics, got yesterday
before a ipfw flush http://pastebin.ca/273087
More information about the freebsd-stable