From owner-freebsd-questions@FreeBSD.ORG Fri Sep 17 05:26:04 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F09FF16A4CF for ; Fri, 17 Sep 2004 05:26:04 +0000 (GMT) Received: from lakermmtao05.cox.net (lakermmtao05.cox.net [68.230.240.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 802AC43D39 for ; Fri, 17 Sep 2004 05:26:04 +0000 (GMT) (envelope-from micheal@tsgincorporated.com) Received: from router.caverns.lan ([68.12.171.184]) by lakermmtao05.cox.net ESMTP <20040917052604.BAWN1109.lakermmtao05.cox.net@router.caverns.lan>; Fri, 17 Sep 2004 01:26:04 -0400 Received: from dredster ([192.168.1.2]) by router.caverns.lan (8.13.1/8.12.9) with ESMTP id i8H5QBTZ011715; Fri, 17 Sep 2004 00:26:11 -0500 (CDT) (envelope-from micheal@tsgincorporated.com) Message-ID: <020b01c49c76$e3d1ada0$0201a8c0@dredster> From: "Micheal Patterson" To: "Norm Vilmer" , References: <414A6E9C.4060708@etherealconsulting.com> Date: Fri, 17 Sep 2004 00:26:24 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: Re: Too many dynamic rules, sorry X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 05:26:05 -0000 . ----- Original Message ----- From: "Norm Vilmer" To: Sent: Thursday, September 16, 2004 11:57 PM Subject: Too many dynamic rules, sorry > If I repeatedly nmap my FreeBSD 4.10 machine configured with > ipfirewall, > I get the message "Too many dynamic rules, sorry". Doing a sysctl -a > |grep ip.fw I can see the the net.inet.ip.fw.dyn_count has reached the > max value of 8192 that I set. The net.inet.ip.fw.dyn_ack_lifetime is > set > to 300, so the dynamic rule count starts going down after about 5 > minutes after the simulated attack. > > Questions: > > When this happens, if my firewall still fully operational, in other > words can I safely ignore this message? > > Is there a way to fix this? > The error "Too many dynamic rules, sorry" will cause the system to drop any packets that are covered by a keep-state entry. So, the firewall, while operational, is in a dead lock down state for any outbound traffic until the dynamic rules clear out. I'm hoping that you're checking the system with nmap from behind it, because if your outside the firewall, then you're keeping state in inbound traffic and that's bad. You only want keep-state from traffic leaving that system, not to it. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message