From owner-freebsd-questions@FreeBSD.ORG Fri Sep 17 04:57:05 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 612E916A4CE for ; Fri, 17 Sep 2004 04:57:05 +0000 (GMT) Received: from advmail.lsn.net (advmail.lsn.net [66.90.138.148]) by mx1.FreeBSD.org (Postfix) with ESMTP id C847A43D1F for ; Fri, 17 Sep 2004 04:57:04 +0000 (GMT) (envelope-from norm@etherealconsulting.com) Received: from etherealconsulting.com (24-155-40-125.ip.grandenetworks.net [24.155.40.125]) by advmail.lsn.net (8.12.8/8.12.4) with ESMTP id i8H4vB0A021900 for ; Thu, 16 Sep 2004 23:57:14 -0500 Message-ID: <414A6E9C.4060708@etherealconsulting.com> Date: Thu, 16 Sep 2004 23:57:00 -0500 From: Norm Vilmer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-AntiVirus: checked by Vexira Milter 1.0.6; VAE 6.27.0.10; VDF 6.27.0.65 Subject: Too many dynamic rules, sorry X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 04:57:05 -0000 If I repeatedly nmap my FreeBSD 4.10 machine configured with ipfirewall, I get the message "Too many dynamic rules, sorry". Doing a sysctl -a |grep ip.fw I can see the the net.inet.ip.fw.dyn_count has reached the max value of 8192 that I set. The net.inet.ip.fw.dyn_ack_lifetime is set to 300, so the dynamic rule count starts going down after about 5 minutes after the simulated attack. Questions: When this happens, if my firewall still fully operational, in other words can I safely ignore this message? Is there a way to fix this?