Hi-- On Sep 27, 2011, at 10:57 AM, Rémy Sanchez wrote: > The only solution we have so far : we just reload the rules, and everything > gets back to normal. Which is a bit unpleasant I must say... > > So, I've fallen short of ideas, does anyone see why some rules just block > like > that ? Maybe we should move to the in-kernel NAT ?
Sounds like you're running out of dynamic rule entries. Check net.inet.ip.fw.dyn_count sysctl and increase net.inet.ip.fw.dyn_max as needed. Also consider not using stateful rules for UDP traffic like DNS and NTP if at all possible... Regards, -- -Chuck _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[email protected]"
