From owner-freebsd-questions@FreeBSD.ORG Fri Sep 24 15:50:05 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 844B316A52F; Fri, 24 Sep 2004 15:50:05 +0000 (GMT) Received: from post5.inre.asu.edu (post5.inre.asu.edu [129.219.110.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4641443D46; Fri, 24 Sep 2004 15:50:05 +0000 (GMT) (envelope-from David.Bear@asu.edu) Received: from conversion.post5.inre.asu.edu by asu.edu (PMDF V6.1-1X6 #30769) id <0I4J00A01YGM3H@asu.edu>; Fri, 24 Sep 2004 08:45:58 -0700 (MST) Received: from smtp.asu.edu (smtp.asu.edu [129.219.110.107]) <0I4J009GTYGMDS@asu.edu>; Fri, 24 Sep 2004 08:45:58 -0700 (MST) Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.69.200]) (8.12.10/8.12.10/asu_smtp_relay,nullclient,tcp_wrapped) with ESMTP id i8OFjv71011208; Fri, 24 Sep 2004 08:45:57 -0700 (MST) Received: by moroni.pp.asu.edu (Postfix, from userid 500) id EA54EE2D; Fri, 24 Sep 2004 08:45:51 -0700 (MST) Received: from post1.inre.asu.edu (post1.inre.asu.edu [129.219.110.72]) by imap1.asu.edu (8.11.0/8.11.0/asu_cyrus,tcp_wrapped) with ESMTP id fACACtX10868 for ; Mon, 12 Nov 2001 03:12:55 -0700 (MST) Received: from conversion.post1.inre.asu.edu by asu.edu (PMDF V6.1 #40110) david.bear@asu.edu) ; Mon, 12 Nov 2001 03:12:54 -0700 (MST) Received: from mx2.freebsd.org (mx2.FreeBSD.org [216.136.204.119]) by asu.edu (PMDF V6.1 #40110) with ESMTP id <0GMO00L4XN1IKV@asu.edu> for iddwb@IMAP1.ASU.EDU (ORCPT david.bear@asu.edu); Mon, 12 Nov 2001 03:12:54 -0700 (MST) Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id C6D4155955; Mon, 12 Nov 2001 02:12:50 -0800 Received: by hub.freebsd.org (Postfix, from userid 538) id D511237B418; Mon, 12 Nov 2001 02:12:34 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with SMTP id 2FE532E80CA; Mon, 12 Nov 2001 02:12:32 -0800 (PST) Received: by hub.freebsd.org (bulk_mailer v1.12); Mon, 12 Nov 2001 02:12:32 -0800 Received: from axel.truedestiny.net (b76168.upc-b.chello.nl [212.83.76.168]) by hub.freebsd.org (Postfix) with ESMTP id 1210F37B417; Mon, 12 Nov 2001 02:11:42 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mars.thuis (Postfix) with ESMTP id 7AF3249A24; Fri, 09 Nov 2001 10:32:50 +0100 (CET) Received: by mars.thuis (Postfix, from userid 1000) id 01F7849A23; Fri, 09 Nov 2001 10:32:46 +0100 (CET) From: Axel Scheepers In-reply-to: <"from setantae"@submonkey.net> Sender: owner-freebsd-security@FreeBSD.ORG To: dwbear75@gmail.com Message-id: <20011109103246.B27252@mars.thuis> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary=G4iJoqBmSsgzjUCe Content-disposition: inline Precedence: bulk X-Loop: FreeBSD.org Delivered-to: freebsd-security@freebsd.org Old-To: setantae User-Agent: Mutt/1.2.5i X-Virus-Scanned: by AMaViS perl-10 Lines: 167 References: <20011108201207.GA49594@rhadamanth> X-Keywords: cc: questions@FreeBSD.ORG cc: security@FreeBSD.ORG Subject: Re: too many dynamic rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: Axel Scheepers List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Fri, 24 Sep 2004 15:50:05 -0000 X-Original-Date: Fri, 09 Nov 2001 10:32:46 +0100 X-List-Received-Date: Fri, 24 Sep 2004 15:50:05 -0000 --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, The man page of ipfw says: net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 The configured and current size of the hash table used to hold dynamic rules. This must be a power of 2. The table can only= be resized when empty, so in order to resize it on the fly you wi= ll probably have to flush and reload the ruleset. These are the standard kernel variabeles for the hash table size, In your c= onfig you should increase these values until you don't get the messages anymore. But, It wont't do any harm to look with tcpdump what is causing the state t= able to overflow, since these rules should be discarded after a while, and it looks like that= doesn't happen. I myself use ipf/ipnat so I'm not so familliar with ipfw ruleset, maybe som= eone can find something weird in these what is causing that ? You can set these values using sysctl -w net.inet.ip.fw.dyn_buckets=3D and sysctl -w net.inet.ip.fw.curr_dyn_buckets=3D. Keep in mind= that this can't=20 be done when the firewall is running, so you should flush it first, apply t= he changes and load the rules again. Hope this helps, Axel On Thu, Nov 08, 2001 at 08:12:07PM +0000, setantae wrote: > Date: Thu, 8 Nov 2001 20:12:07 +0000 > From: setantae > To: questions@freebsd.org, security@freebsd.org > Subject: too many dynamic rules >=20 >=20 > Can't find anything in the archives at MARC, and not sure which list > I should be talking to, so please set followups appropriately if it > bothers you. >=20 > For approximately 18 seconds today my firewall went apesh*t=20 > (these are all relevant entries) : >=20 > Nov 8 14:47:45 rhadamanth /kernel: Too many dynamic rules, sorry > Nov 8 14:47:45 rhadamanth natd[218]: failed to write packet back (Permis= sion denied) Stripped down a bit ... >=20 > At the time there was only one user logged onto the box, and no clients > behind the firewall - unfortunately I have no idea what I was doing at the > time, although I have been upgrading older ports today (cannot find any > files that were created at the times above though). >=20 > This box is a dual piii-866 with 512mb of ram, doesn't do much and > has maxusers set to 128. >=20 > The other interesting thing is that although dynamic rules are still being > created (since I can access stuff from another box on the LAN), > ipfw -at l no longer shows them. >=20 The Ruleset: >=20 > ## Deny fragments > add 00105 deny all from any to any frag >=20 > #### 00110 Unprotect the LAN interface > add 00110 allow all from any to any via dc0 >=20 > #### 00200 Stop RFC 1918 traffic > #add 00201 pass udp from 172.16.0.0/12 to any 68 in via ed0 > #add 00201 pass udp from 172.17.39.254 to any 68 in via ed0 >=20 > add 00202 deny log all from any to 10.0.0.0/8 > add 00203 deny log all from 10.0.0.0/8 to any >=20 > add 00204 deny log all from any to 172.16.0.0/12 > add 00205 deny log all from 172.16.0.0/12 to any >=20 > #add 00206 deny log all from 192.168.0.0/16 to any in via ed0 > #add 00207 deny log all from any to 192.168.0.0/16 in via ed0 >=20 > add 00206 divert natd all from any to any via ed0 >=20 > add 00207 pass all from 192.168.10.0/24 to any via ed0 > add 00208 pass all from any to 192.168.10.0/24 via ed0 > add 00209 deny log all from any to 192.168.0.0/16 via ed0 > add 00210 deny log all from 192.168.0.0/16 to any via ed0 >=20 > #### 00400 Check state and allow tcp connections created by us. > add 00400 check-state > add 00401 allow tcp from any to any out keep-state > #add 00402 deny log tcp from any to any in established > add 00403 allow udp from any to any 53 keep-state > add 00404 allow udp from any to any out >=20 > ##NTP > add 00421 allow udp from 130.88.200.98 123 to any > add 00422 allow udp from 130.88.203.12 123 to any >=20 > #### 00500 DHCP stuff > add 00501 allow udp from 62.252.32.3 to any 68 in via ed0 >=20 > #### 00600 ICMP stuff > # path-mtu > add 00600 allow icmp from any to any icmptypes 3 > # source quench > add 00601 allow icmp from any to any icmptypes 4 > #ping > add 00602 allow icmp from any to any icmptypes 8 out > add 00603 allow icmp from any to any icmptypes 0 in > #traceroute > add 00604 allow icmp from any to any icmptypes 11 in >=20 > #### 00700 Services we want to make available. > add 00701 allow tcp from any to any 22 > add 00702 allow tcp from 194.168.4.200 to any 113 > #add 00703 allow tcp from any to any 21 out >=20 > #### 65000 And deny everything else. > add 65007 deny log ip from any to any --=20 Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net ascheepers@vianetworks.nl http://axel.truedestiny.net/~axel ------------------------------------------ In America, any boy may become president and I suppose that's just one of the risks he takes. -- Adlai Stevenson ------------------------------------------ --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUBO+uist0okna45S+TAQG58Af6AsdPfB7Lo4ACARgD2gNG1RGbfmblHXZt HuTBxjebgCh6+fOB4cfse+NcPTfOqgX9zgvS+iYvSyTctzAQuTT8/q6i171HinZH BZHSvEokszkKrVlpapJ3BZY4VdZyba+3kSzBr1EAvTEo8w3YBIczO+Vg1OfWJ+Ps i4qIayqrVzkgJUGEoagobd1Xlk3JsbNC/1t1/1jEaxBGK+MyJCDxlF19xZpDOJwh Qgi1HwlAIER/bgEtOMxCHLJ9dPYIYl7uCpy0kUULWdaHKHZD0J9PJdRIfmyhXXlv ZyuNryJ1QFXQLv41NbBgncTEtLYPpK42XovdSuscEwc7ADX1IwYwXQ== =sCJq -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message