ipfw: Too many dynamic rules

Kevin Oberman oberman at es.net
Thu Sep 9 21:19:13 UTC 2010

> Date: Thu, 09 Sep 2010 22:03:10 +0400
> From: "Marat N.Afanasyev" <amarat at ksu.ru>
> Sender: owner-freebsd-stable at freebsd.org
> Gareth de Vaux wrote:
> > Hi again, I use some keep-state rules in ipfw, but get the following
> > kernel message:
> >
> > kernel: ipfw: install_state: Too many dynamic rules
> >
> > when presumably my state table reaches its limit (and I effectively
> > get DoS'd).
> >
> > netstat shows tons of connections in FIN_WAIT_2 state, mostly to
> > my webserver. Consequently net.inet.ip.fw.dyn_count is large too.
> >
> > I can increase my net.inet.ip.fw.dyn_max but the new limit will
> > simply be reached later on.
> >
> > I currently get around this with a cronjob that sets
> > net.inet.ip.fw.dyn_keepalive to 0 for just less than 5 minutes
> > every night. If I leave it at 0 for longer or indefinitely then
> > idle ssh sessions and the like are dropped. This works fine for
> > me but it looks like there's some bug with net.inet.ip.fw.dyn_keepalive=1?
> > Or with Apache?
> >
> > I'm using 8.1-STABLE, GENERIC kernel. Experienced the same behaviour
> > on 8.0-RELEASE, but not on 6.1-RELEASE where I had a similar setup. I
> > have a KeepAliveTimeout of 4 in Apache (2.2.16).
> > _______________________________________________
> > freebsd-stable at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
> >
> I wonder, are these dynamic rules really necessary? let's see, a client 
> connects to your web-server and you immediately should create a new 
> dynamic rule, therefore you participate in this DoS attack as well as 
> attacker. ;)

I'll be more blunt...stateful firewalls should NEVER be placed in front
of externally accessible services. Access filters are fine, but stateful
firewalls are nothing but a denial of service waiting to
happen. Security pros have always know this, but too many folks insist
that there be a firewall in front of everything and that is simply an
invitation to problems.

Marat is right! Just don't even try. An attacker can ALWAYS overwhelm
the state tables in a stateful firewall. It's just way too easy. There
was a long discussion of this a while back on a network ops list I
participate in and noobs kept claiming that you have to have a stateful
firewall in front of everything while the real operational security folks
(like those at Y! and Google) kept explaining that it just does not
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

More information about the freebsd-stable mailing list