Date: Fri, 9 Nov 2001 10:32:46 +0100 From: Axel Scheepers <axel@axel.truedestiny.net> To: setantae <setantae@submonkey.net> Cc: questions@freebsd.org, security@freebsd.org Subject: Re: too many dynamic rules Message-ID: <20011109103246.B27252@mars.thuis> In-Reply-To: <20011108201207.GA49594@rhadamanth>; from setantae@submonkey.net on Thu, Nov 08, 2001 at 08:12:07PM %2B0000 References: <20011108201207.GA49594@rhadamanth>
next in thread | previous in thread | raw e-mail | index | archive | help
--G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, The man page of ipfw says: net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 The configured and current size of the hash table used to hold dynamic rules. This must be a power of 2. The table can only= be resized when empty, so in order to resize it on the fly you wi= ll probably have to flush and reload the ruleset. These are the standard kernel variabeles for the hash table size, In your c= onfig you should increase these values until you don't get the messages anymore. But, It wont't do any harm to look with tcpdump what is causing the state t= able to overflow, since these rules should be discarded after a while, and it looks like that= doesn't happen. I myself use ipf/ipnat so I'm not so familliar with ipfw ruleset, maybe som= eone can find something weird in these what is causing that ? You can set these values using sysctl -w net.inet.ip.fw.dyn_buckets=3D<your= value here> and sysctl -w net.inet.ip.fw.curr_dyn_buckets=3D<your value here>. Keep in mind= that this can't=20 be done when the firewall is running, so you should flush it first, apply t= he changes and load the rules again. Hope this helps, Axel On Thu, Nov 08, 2001 at 08:12:07PM +0000, setantae wrote: > Date: Thu, 8 Nov 2001 20:12:07 +0000 > From: setantae <setantae@submonkey.net> > To: questions@freebsd.org, security@freebsd.org > Subject: too many dynamic rules >=20 >=20 > Can't find anything in the archives at MARC, and not sure which list > I should be talking to, so please set followups appropriately if it > bothers you. >=20 > For approximately 18 seconds today my firewall went apesh*t=20 > (these are all relevant entries) : >=20 > Nov 8 14:47:45 rhadamanth /kernel: Too many dynamic rules, sorry > Nov 8 14:47:45 rhadamanth natd[218]: failed to write packet back (Permis= sion denied) Stripped down a bit ... >=20 > At the time there was only one user logged onto the box, and no clients > behind the firewall - unfortunately I have no idea what I was doing at the > time, although I have been upgrading older ports today (cannot find any > files that were created at the times above though). >=20 > This box is a dual piii-866 with 512mb of ram, doesn't do much and > has maxusers set to 128. >=20 > The other interesting thing is that although dynamic rules are still being > created (since I can access stuff from another box on the LAN), > ipfw -at l no longer shows them. >=20 The Ruleset: >=20 > ## Deny fragments > add 00105 deny all from any to any frag >=20 > #### 00110 Unprotect the LAN interface > add 00110 allow all from any to any via dc0 >=20 > #### 00200 Stop RFC 1918 traffic > #add 00201 pass udp from 172.16.0.0/12 to any 68 in via ed0 > #add 00201 pass udp from 172.17.39.254 to any 68 in via ed0 >=20 > add 00202 deny log all from any to 10.0.0.0/8 > add 00203 deny log all from 10.0.0.0/8 to any >=20 > add 00204 deny log all from any to 172.16.0.0/12 > add 00205 deny log all from 172.16.0.0/12 to any >=20 > #add 00206 deny log all from 192.168.0.0/16 to any in via ed0 > #add 00207 deny log all from any to 192.168.0.0/16 in via ed0 >=20 > add 00206 divert natd all from any to any via ed0 >=20 > add 00207 pass all from 192.168.10.0/24 to any via ed0 > add 00208 pass all from any to 192.168.10.0/24 via ed0 > add 00209 deny log all from any to 192.168.0.0/16 via ed0 > add 00210 deny log all from 192.168.0.0/16 to any via ed0 >=20 > #### 00400 Check state and allow tcp connections created by us. > add 00400 check-state > add 00401 allow tcp from any to any out keep-state > #add 00402 deny log tcp from any to any in established > add 00403 allow udp from any to any 53 keep-state > add 00404 allow udp from any to any out >=20 > ##NTP > add 00421 allow udp from 130.88.200.98 123 to any > add 00422 allow udp from 130.88.203.12 123 to any >=20 > #### 00500 DHCP stuff > add 00501 allow udp from 62.252.32.3 to any 68 in via ed0 >=20 > #### 00600 ICMP stuff > # path-mtu > add 00600 allow icmp from any to any icmptypes 3 > # source quench > add 00601 allow icmp from any to any icmptypes 4 > #ping > add 00602 allow icmp from any to any icmptypes 8 out > add 00603 allow icmp from any to any icmptypes 0 in > #traceroute > add 00604 allow icmp from any to any icmptypes 11 in >=20 > #### 00700 Services we want to make available. > add 00701 allow tcp from any to any 22 > add 00702 allow tcp from 194.168.4.200 to any 113 > #add 00703 allow tcp from any to any 21 out >=20 > #### 65000 And deny everything else. > add 65007 deny log ip from any to any --=20 Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net ascheepers@vianetworks.nl http://axel.truedestiny.net/~axel ------------------------------------------ In America, any boy may become president and I suppose that's just one of the risks he takes. -- Adlai Stevenson ------------------------------------------ --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUBO+uist0okna45S+TAQG58Af6AsdPfB7Lo4ACARgD2gNG1RGbfmblHXZt HuTBxjebgCh6+fOB4cfse+NcPTfOqgX9zgvS+iYvSyTctzAQuTT8/q6i171HinZH BZHSvEokszkKrVlpapJ3BZY4VdZyba+3kSzBr1EAvTEo8w3YBIczO+Vg1OfWJ+Ps i4qIayqrVzkgJUGEoagobd1Xlk3JsbNC/1t1/1jEaxBGK+MyJCDxlF19xZpDOJwh Qgi1HwlAIER/bgEtOMxCHLJ9dPYIYl7uCpy0kUULWdaHKHZD0J9PJdRIfmyhXXlv ZyuNryJ1QFXQLv41NbBgncTEtLYPpK42XovdSuscEwc7ADX1IwYwXQ== =sCJq -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011109103246.B27252>