From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 10 18:56:56 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CB1416A4CE for ; Fri, 10 Sep 2004 18:56:56 +0000 (GMT) Received: from mail.generalpostmaster.com (mail.generalpostmaster.com [216.104.145.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id E827743D3F for ; Fri, 10 Sep 2004 18:56:55 +0000 (GMT) (envelope-from freebsd@usww.com) Received: from usww.com (ppp135.max4.usbn.net [216.104.138.135]) i8AIxToT046958 for ; Fri, 10 Sep 2004 14:59:30 -0400 (EDT) (envelope-from freebsd@usww.com) X-HELO: |usww.com| X-ClientName: |ppp135.max4.usbn.net| X-ClientAddr: |216.104.138.135| X-To: || X-From: |freebsd@usww.com| X-infoX: |HELO:usww.com|ClientName:ppp135.max4.usbn.net|ClientAddr:216.104.138.135|Email:|From:USWW | X-info1: (HopCnt:0)(Cur-Ctime-Date:Fri Sep 10 14:59:30 2004)(Unk:) X-info2: (from:freebsd@usww.com)(Ret:freebsd@usww.com)(DestHost:freebsd.org.)(QueueID:i8AIxToT046958) X-info3: (Loc:mail.generalpostmaster.com)(Loc:mail.generalpostmaster.com)(Unk:)(FQDN:generalpostmaster.com)(MAILDA:MAILER-DAEMON)(Unk:) X-info4: (PID:46958)(Unk:)(Proto:ESMTP)(SendHost:usww.com)(Date:200409101859) X-info5: (To:)(Ver:8.12.8)(Host:mail)(FNamesender:USWW)(Unk::) X-info7: (CD:)(SndrAddr:ppp135.max4.usbn.net [216.104.138.135])(CD:)(CD:)(CD:) X-info8: (Bodyty:)(ClientAddr:216.104.138.135)(ClientName:ppp135.max4.usbn.net)(ClientPort:58121) X-info9: (Envid:)(DelivMode:q)(SendFlag:d) Message-ID: <4141F8E0.8060700@usww.com> Date: Fri, 10 Sep 2004 14:56:32 -0400 From: Ben Bentsen User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020826 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: kernel: ipfw: install_state: Too many dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2004 18:56:56 -0000 Hello group, Can any shed a little light on the following error messages. I have spent a great deal of time looking at what is running at about 9:30am-9:45am and have found nothing that I can pin to these errors. No cron jobs are running anywhere even close to the time. TCPdump does not shed any light either. This machine has only one purpose to pass, count, limit and deny packets to a network Only SSH and FTP services are enabled on this machine. What conditions case this message maybe I am looking in the wrong place. INET ---- This Machine --- Catalyst 2820 ------ 14 computer units Aug 7 09:41:34 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 10 09:41:207206 /kernel: ipfw: install_state: Too many dynamic rules Aug 13 09:41:31 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 15 09:41:29 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 15 09:41:30 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 15 10:41:23 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 17 09:40:50 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 20 09:35:35 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 23 09:35:17 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 27 09:35:33 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 31 09:35:31 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 1 09:35:29 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 2 09:35:24 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 3 09:34:58 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 5 09:35:06 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 6 09:34:41 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 7 09:35:00 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 7 09:35:33 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 8 09:34:34 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 9 09:34:41 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 10 09:34:59 7206 /kernel: ipfw: install_state: Too many dynamic rules I am using FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE #0 with IPFW2 compiled in and all the IPV6 compiled out. The firewall is pretty generic: /etc/rc.local sysctl net.link.ether.bridge_cfg=rl0:0,rl1:0 sysctl net.link.ether.bridge_ipfw=1 sysctl net.link.ether.bridge=1 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 0 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 1 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 2 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 3 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 4 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 5 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 6 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 7 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 8 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 9 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 10 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 11 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 12 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 13 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 14 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 15 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 16 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 17 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 18 ipfw -q add 00009 count log logamount 1000 icmp from any to any ipfw -q add 50 deny log logamount 10000 ip from any to any 135 ipfw -q add 50 deny log logamount 10000 ip from any to any 445 ipfw -q add 50 deny log logamount 10000 ip from any to any 139 ipfw -q add 00020 deny log logamount 10000 ip from any to any in frag ipfw -q add 00020 deny log logamount 10000 tcp from any to any in frag ipfw -q add 00020 deny log logamount 10000 udp from any to any in frag ipfw -q add 00020 deny log logamount 10000 icmp from any to any in frag for i in (Several Mac Addresses) do ipfw -q add 100 count mac $i 00:e0:a3:1f:f0:2b ipfw -q add 100 count mac 00:e0:a3:1f:f0:2b $i done ipfw -q add 150 pipe 1 tcp from 216.104.X.X 20,21,25,80,110 to any;ipfw pipe 1 config bw 450Kbit/s ipfw -q add 151 pipe 2 tcp from 216.104.X.X 554,4040,5050,6763,7070,8080 to any;ipfw pipe 2 config bw 384kbit/s ipfw -q add 200 check-state ipfw -q add 275 count all from any to any keep-state ipfw -q add 302 drop all from 172.16.0.0/12 to any in via rl0 ipfw -q add 304 drop all from 192.168.0.0/16 to any in via rl0 ipfw -q add 01150 deny log logamount 10000 ip from any to any in frag ipfw -q add 01150 deny log logamount 10000 tcp from any to any in frag ipfw -q add 01150 deny log logamount 10000 udp from any to any in frag ipfw -q add 01150 deny log logamount 10000 icmp from any to any in frag