Hi, On a new FreeBSD 8.2 server, ipfw complains of too many dynamic rules as traffic increases. e.g. "ipfw: ipfw_install_state: Too many dynamic rules")
Is the following set of rules too complex? What would be the best/generic approach to setup ipfw for a standard web server? Any recommendations? 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny tcp from any to any frag 00500 allow ip from table(1) to any keep-state 00600 check-state 00700 allow tcp from any to any established 00800 allow ip from any to any out keep-state 00900 allow icmp from any to any 01000 allow udp from me to any dst-port 53 keep-state 01100 allow udp from me to any dst-port 123 keep-state 01200 allow tcp from any to any dst-port 747 setup keep-state 01300 deny ip from table(2) to any 20000 allow tcp from any to any dst-port 80,443 setup keep-state 20100 deny log logamount 1000 ip from any to any 65535 deny ip from any to any Note that: - table 1: holds whitelist of IPs - table 2: holds blacklist of IPs Regards, Franck -- View this message in context: http://freebsd.1045724.n5.nabble.com/using-tables-ipfw-ipfw-install-state-Too-many-dynamic-rules-tp4534755p4534755.html Sent from the freebsd-ipfw mailing list archive at Nabble.com. _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
