ipfw: Too many dynamic rules

Ivan Voras ivoras at freebsd.org
Fri Sep 10 12:08:20 UTC 2010

On 09/09/10 17:39, Gareth de Vaux wrote:
> Hi again, I use some keep-state rules in ipfw, but get the following
> kernel message:
> kernel: ipfw: install_state: Too many dynamic rules
> when presumably my state table reaches its limit (and I effectively
> get DoS'd).
> netstat shows tons of connections in FIN_WAIT_2 state, mostly to
> my webserver. Consequently net.inet.ip.fw.dyn_count is large too.
> I can increase my net.inet.ip.fw.dyn_max but the new limit will
> simply be reached later on.

For what it's worth, here's what I've been running:


If in a tight spot, I might reduce dyn_ack_lifetime to 10.

There is no way this machine would service 8192 legitimate simultaneous 
connections so this works for me. If you have the memory I think you can 
increase dyn_max practically arbitrarily. If under a DDoS attack, you 
might run out of some other resource, like ephemeral TCP ports for the 
server side of connections, before running out of ipfw entries.

More information about the freebsd-stable mailing list