ipfw: Too many dynamic rules

Jeremy Chadwick freebsd at jdc.parodius.com
Thu Sep 9 16:20:12 UTC 2010

On Thu, Sep 09, 2010 at 05:39:02PM +0200, Gareth de Vaux wrote:
> Hi again, I use some keep-state rules in ipfw, but get the following
> kernel message:
> kernel: ipfw: install_state: Too many dynamic rules
> when presumably my state table reaches its limit (and I effectively
> get DoS'd).
> netstat shows tons of connections in FIN_WAIT_2 state, mostly to
> my webserver. Consequently net.inet.ip.fw.dyn_count is large too.
> I can increase my net.inet.ip.fw.dyn_max but the new limit will
> simply be reached later on.
> I currently get around this with a cronjob that sets
> net.inet.ip.fw.dyn_keepalive to 0 for just less than 5 minutes
> every night. If I leave it at 0 for longer or indefinitely then
> idle ssh sessions and the like are dropped. This works fine for
> me but it looks like there's some bug with net.inet.ip.fw.dyn_keepalive=1?
> Or with Apache?
> I'm using 8.1-STABLE, GENERIC kernel. Experienced the same behaviour
> on 8.0-RELEASE, but not on 6.1-RELEASE where I had a similar setup. I
> have a KeepAliveTimeout of 4 in Apache (2.2.16).

Firstly, I'm not familiar with dynamic firewall rules in ipfw.  I tend
to use pf these days, with ALTQ for rate-limiting.  pf offers a lot of
improvements over ipfw.

Secondly, I'm fairly certain HTTP KeepAlive (re: KeepAliveTimeout) are
unrelated to TCP keepalives[1].  I mention this because you're focusing
on netstat, which will give you indication of TCP session state, not
HTTP protocol statefulness. 

Thirdly, if you feel FIN_WAIT2 is the cause of your problem, then you
should consider adjusting the following sysctl:


Try something like 15000 (15 seconds) instead of the default (60000).

Finally, why are you using dynamic firewall rules at all?  For what
purpose do you need these that, say, pf and its state tracking would not

[1]: http://en.wikipedia.org/wiki/Keepalive

| Jeremy Chadwick                                   jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-stable mailing list