Re: too many dynamic rules

2004-09-24 Thread Axel Scheepers 
Hello,
The man page of ipfw says:
net.inet.ip.fw.dyn_buckets: 256

net.inet.ip.fw.curr_dyn_buckets: 256
 The configured and current size of the hash table used to hold
 dynamic rules.  This must be a power of 2.  The table can only be
 resized when empty, so in order to resize it on the fly you will
 probably have to flush and reload the ruleset.

These are the standard kernel variabeles for the hash table size, In your config you 
should
increase these values until you don't get the messages anymore.
But, It wont't do any harm to look with tcpdump what is causing the state table to 
overflow,
since these rules should be discarded after a while, and it looks like that doesn't 
happen.
I myself use ipf/ipnat so I'm not so familliar with ipfw ruleset, maybe someone can 
find
something weird in these what is causing that ?

You can set these values using sysctl -w net.inet.ip.fw.dyn_buckets=your value here 
and
sysctl -w net.inet.ip.fw.curr_dyn_buckets=your value here. Keep in mind that this 
can't 
be done when the firewall is running, so you should flush it first, apply the changes 
and load
the rules again.

Hope this helps,
Axel

On Thu, Nov 08, 2001 at 08:12:07PM +, setantae wrote:
 Date: Thu, 8 Nov 2001 20:12:07 +
 From: setantae [EMAIL PROTECTED]
 To: [EMAIL PROTECTED], [EMAIL PROTECTED]
 Subject: too many dynamic rules
 
 
 Can't find anything in the archives at MARC, and not sure which list
 I should be talking to, so please set followups appropriately if it
 bothers you.
 
 For approximately 18 seconds today my firewall went apesh*t 
  (these are all relevant entries) :
 
 Nov  8 14:47:45 rhadamanth /kernel: Too many dynamic rules, sorry
 Nov  8 14:47:45 rhadamanth natd[218]: failed to write packet back (Permission denied)
Stripped down a bit ...
 
 At the time there was only one user logged onto the box, and no clients
 behind the firewall - unfortunately I have no idea what I was doing at the
 time, although I have been upgrading older ports today (cannot find any
 files that were created at the times above though).
 
 This box is a dual piii-866 with 512mb of ram, doesn't do much and
 has maxusers set to 128.
 
 The other interesting thing is that although dynamic rules are still being
 created (since I can access stuff from another box on the LAN),
 ipfw -at l no longer shows them.
 

The Ruleset:
 
 ## Deny fragments
 add 00105 deny all from any to any frag
 
   00110 Unprotect the LAN interface
 add 00110 allow all from any to any via dc0
 
   00200 Stop RFC 1918 traffic
 #add 00201 pass udp from 172.16.0.0/12 to any 68 in via ed0
 #add 00201 pass udp from 172.17.39.254 to any 68 in via ed0
 
 add 00202 deny log all from any to 10.0.0.0/8
 add 00203 deny log all from 10.0.0.0/8 to any
 
 add 00204 deny log all from any to 172.16.0.0/12
 add 00205 deny log all from 172.16.0.0/12 to any
 
 #add 00206 deny log all from 192.168.0.0/16 to any in via ed0
 #add 00207 deny log all from any to 192.168.0.0/16 in via ed0
 
 add 00206 divert natd all from any to any via ed0
 
 add 00207 pass all from 192.168.10.0/24 to any via ed0
 add 00208 pass all from any to 192.168.10.0/24 via ed0
 add 00209 deny log all from any to 192.168.0.0/16 via ed0
 add 00210 deny log all from 192.168.0.0/16 to any via ed0
 
   00400 Check state and allow tcp connections created by us.
 add 00400 check-state
 add 00401 allow tcp from any to any out keep-state
 #add 00402 deny log tcp from any to any in established
 add 00403 allow udp from any to any 53 keep-state
 add 00404 allow udp from any to any out
 
 ##NTP
 add 00421 allow udp from 130.88.200.98 123 to any
 add 00422 allow udp from 130.88.203.12 123 to any
 
 00500 DHCP stuff
 add 00501 allow udp from 62.252.32.3 to any 68 in via ed0
 
   00600 ICMP stuff
 # path-mtu
 add 00600 allow icmp from any to any icmptypes 3
 # source quench
 add 00601 allow icmp from any to any icmptypes 4
 #ping
 add 00602 allow icmp from any to any icmptypes 8 out
 add 00603 allow icmp from any to any icmptypes 0 in
 #traceroute
 add 00604 allow icmp from any to any icmptypes 11 in
 
   00700 Services we want to make available.
 add 00701 allow tcp from any to any 22
 add 00702 allow tcp from 194.168.4.200 to any 113
 #add 00703 allow tcp from any to any 21 out
 
   65000 And deny everything else.
 add 65007 deny log ip from any to any


-- 
Axel Scheepers
UNIX System Administrator

email: [EMAIL PROTECTED]
   [EMAIL PROTECTED]
http://axel.truedestiny.net/~axel
--
In America, any boy may become president and I suppose that's just one
of the risks he takes.
-- Adlai Stevenson
--


pgpZagadK2RxI.pgp
Description: PGP signature

Re: Mount My Creation [ls -c, -t -u etc]

2003-06-23 Thread Axel Scheepers 
dionysus: {1030} man ls

 -d  Directories are listed as plain files (not searched
recursively)
 and symbolic links in the argument list are not indirected
 through.
...

:-)

gr,

Axel Scheepers

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Mount My Creation [ls -c, -t -u etc]

2003-06-23 Thread Axel Scheepers 

- Original Message -
[snip]
 On Sat, 21 Jun 2003, Joshua Oreman wrote:
 What ls command can I do IN THE CURRENT WORKING DIRECTORY to just see
the
 myfiles/ listing?  That is, if I type ls -alF myfiles (or myfiles/),
 why does the output delve *into* this directory and list its contents?

 The only work around is ls -alF | grep myfiles it seems!


no, it isn't, try the -d switch:
dionysus: {1022} mkdir testdir
dionysus: {1023} touch testdir/file1
dionysus: {1024} touch testdir/file2
dionysus: {1025} touch testdir/file3
dionysus: {1026} ls -laFd testdir
drwxr-xr-x  2 root  users  512 Jun 22 20:14 testdir/
dionysus: {1027} ls -laF testdir
total 4
drwxr-xr-x  2 root  users  512 Jun 22 20:14 ./
drwxr-xr-x  3 root  users  512 Jun 22 20:14 ../
-rw-r--r--  1 root  users0 Jun 22 20:14 file1
-rw-r--r--  1 root  users0 Jun 22 20:14 file2
-rw-r--r--  1 root  users0 Jun 22 20:14 file3
dionysus: {1028}

Gr,

Axel Scheepers


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: fatal trap 12 (SMP related)

2003-06-23 Thread Axel Scheepers 
- Original Message -
 Fatal trap 12: page fault while in kernel mode

That might be bad ram, you could try to set a lower bus timing (e.g.
133-100).
One of my home systems had programs failing like that on a regular basis,
when I
tried a lower busspeed the problem went away. (should buy some new ram for
that
box :)

gr,
Axel Scheepers


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: tkabber wish problem

2003-06-23 Thread Axel Scheepers 

- Original Message - 
 hi,
 I've tried to install tkabber 0.9.5 beta on freebsd 5.1.
 I've downloaded all libraries needed, but it is still
 bugging me with message about wish that it can be found
 under different names and that in my system it is called wish8.3
 and quit.
 any suggestions how to get this IM to work?
 or should I try another IM?
 thanx
 martin
 

Hmm I ran into that once too for some app a long time ago, 
I just created a symlink to fix it.

gr,
Axel Scheepers

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]