Hello,
The man page of ipfw says:
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
The configured and current size of the hash table used to hold
dynamic rules. This must be a power of 2. The table can only be
resized when empty, so in order to resize it on the fly you will
probably have to flush and reload the ruleset.
These are the standard kernel variabeles for the hash table size, In your config you
should
increase these values until you don't get the messages anymore.
But, It wont't do any harm to look with tcpdump what is causing the state table to
overflow,
since these rules should be discarded after a while, and it looks like that doesn't
happen.
I myself use ipf/ipnat so I'm not so familliar with ipfw ruleset, maybe someone can
find
something weird in these what is causing that ?
You can set these values using sysctl -w net.inet.ip.fw.dyn_buckets=your value here
and
sysctl -w net.inet.ip.fw.curr_dyn_buckets=your value here. Keep in mind that this
can't
be done when the firewall is running, so you should flush it first, apply the changes
and load
the rules again.
Hope this helps,
Axel
On Thu, Nov 08, 2001 at 08:12:07PM +, setantae wrote:
Date: Thu, 8 Nov 2001 20:12:07 +
From: setantae [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: too many dynamic rules
Can't find anything in the archives at MARC, and not sure which list
I should be talking to, so please set followups appropriately if it
bothers you.
For approximately 18 seconds today my firewall went apesh*t
(these are all relevant entries) :
Nov 8 14:47:45 rhadamanth /kernel: Too many dynamic rules, sorry
Nov 8 14:47:45 rhadamanth natd[218]: failed to write packet back (Permission denied)
Stripped down a bit ...
At the time there was only one user logged onto the box, and no clients
behind the firewall - unfortunately I have no idea what I was doing at the
time, although I have been upgrading older ports today (cannot find any
files that were created at the times above though).
This box is a dual piii-866 with 512mb of ram, doesn't do much and
has maxusers set to 128.
The other interesting thing is that although dynamic rules are still being
created (since I can access stuff from another box on the LAN),
ipfw -at l no longer shows them.
The Ruleset:
## Deny fragments
add 00105 deny all from any to any frag
00110 Unprotect the LAN interface
add 00110 allow all from any to any via dc0
00200 Stop RFC 1918 traffic
#add 00201 pass udp from 172.16.0.0/12 to any 68 in via ed0
#add 00201 pass udp from 172.17.39.254 to any 68 in via ed0
add 00202 deny log all from any to 10.0.0.0/8
add 00203 deny log all from 10.0.0.0/8 to any
add 00204 deny log all from any to 172.16.0.0/12
add 00205 deny log all from 172.16.0.0/12 to any
#add 00206 deny log all from 192.168.0.0/16 to any in via ed0
#add 00207 deny log all from any to 192.168.0.0/16 in via ed0
add 00206 divert natd all from any to any via ed0
add 00207 pass all from 192.168.10.0/24 to any via ed0
add 00208 pass all from any to 192.168.10.0/24 via ed0
add 00209 deny log all from any to 192.168.0.0/16 via ed0
add 00210 deny log all from 192.168.0.0/16 to any via ed0
00400 Check state and allow tcp connections created by us.
add 00400 check-state
add 00401 allow tcp from any to any out keep-state
#add 00402 deny log tcp from any to any in established
add 00403 allow udp from any to any 53 keep-state
add 00404 allow udp from any to any out
##NTP
add 00421 allow udp from 130.88.200.98 123 to any
add 00422 allow udp from 130.88.203.12 123 to any
00500 DHCP stuff
add 00501 allow udp from 62.252.32.3 to any 68 in via ed0
00600 ICMP stuff
# path-mtu
add 00600 allow icmp from any to any icmptypes 3
# source quench
add 00601 allow icmp from any to any icmptypes 4
#ping
add 00602 allow icmp from any to any icmptypes 8 out
add 00603 allow icmp from any to any icmptypes 0 in
#traceroute
add 00604 allow icmp from any to any icmptypes 11 in
00700 Services we want to make available.
add 00701 allow tcp from any to any 22
add 00702 allow tcp from 194.168.4.200 to any 113
#add 00703 allow tcp from any to any 21 out
65000 And deny everything else.
add 65007 deny log ip from any to any
--
Axel Scheepers
UNIX System Administrator
email: [EMAIL PROTECTED]
[EMAIL PROTECTED]
http://axel.truedestiny.net/~axel
--
In America, any boy may become president and I suppose that's just one
of the risks he takes.
-- Adlai Stevenson
--
pgpZagadK2RxI.pgp
Description: PGP signature