ipfw: Too many dynamic rules
Kevin Oberman
oberman at es.net
Thu Sep 9 21:19:13 UTC 2010
> Date: Thu, 09 Sep 2010 22:03:10 +0400
> From: "Marat N.Afanasyev" <amarat at ksu.ru>
> Sender: owner-freebsd-stable at freebsd.org
>
> Gareth de Vaux wrote:
> > Hi again, I use some keep-state rules in ipfw, but get the following
> > kernel message:
> >
> > kernel: ipfw: install_state: Too many dynamic rules
> >
> > when presumably my state table reaches its limit (and I effectively
> > get DoS'd).
> >
> > netstat shows tons of connections in FIN_WAIT_2 state, mostly to
> > my webserver. Consequently net.inet.ip.fw.dyn_count is large too.
> >
> > I can increase my net.inet.ip.fw.dyn_max but the new limit will
> > simply be reached later on.
> >
> > I currently get around this with a cronjob that sets
> > net.inet.ip.fw.dyn_keepalive to 0 for just less than 5 minutes
> > every night. If I leave it at 0 for longer or indefinitely then
> > idle ssh sessions and the like are dropped. This works fine for
> > me but it looks like there's some bug with net.inet.ip.fw.dyn_keepalive=1?
> > Or with Apache?
> >
> > I'm using 8.1-STABLE, GENERIC kernel. Experienced the same behaviour
> > on 8.0-RELEASE, but not on 6.1-RELEASE where I had a similar setup. I
> > have a KeepAliveTimeout of 4 in Apache (2.2.16).
> > _______________________________________________
> > freebsd-stable at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
> >
> I wonder, are these dynamic rules really necessary? let's see, a client
> connects to your web-server and you immediately should create a new
> dynamic rule, therefore you participate in this DoS attack as well as
> attacker. ;)
I'll be more blunt...stateful firewalls should NEVER be placed in front
of externally accessible services. Access filters are fine, but stateful
firewalls are nothing but a denial of service waiting to
happen. Security pros have always know this, but too many folks insist
that there be a firewall in front of everything and that is simply an
invitation to problems.
Marat is right! Just don't even try. An attacker can ALWAYS overwhelm
the state tables in a stateful firewall. It's just way too easy. There
was a long discussion of this a while back on a network ops list I
participate in and noobs kept claiming that you have to have a stateful
firewall in front of everything while the real operational security folks
(like those at Y! and Google) kept explaining that it just does not
work.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
More information about the freebsd-stable
mailing list