On 09/09/10 17:39, Gareth de Vaux wrote:
Hi again, I use some keep-state rules in ipfw, but get the following
kernel message:
kernel: ipfw: install_state: Too many dynamic rules
when presumably my state table reaches its limit (and I effectively
get DoS'd).
netstat shows tons of connections in FIN_WAIT_2 state, mostly to
my webserver. Consequently net.inet.ip.fw.dyn_count is large too.
I can increase my net.inet.ip.fw.dyn_max but the new limit will
simply be reached later on.
For what it's worth, here's what I've been running:
net.inet.ip.fw.dyn_buckets=1024
net.inet.ip.fw.dyn_max=8192
net.inet.ip.fw.dyn_ack_lifetime=60
If in a tight spot, I might reduce dyn_ack_lifetime to 10.
There is no way this machine would service 8192 legitimate simultaneous
connections so this works for me. If you have the memory I think you can
increase dyn_max practically arbitrarily. If under a DDoS attack, you
might run out of some other resource, like ephemeral TCP ports for the
server side of connections, before running out of ipfw entries.
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
