From owner-freebsd-questions@FreeBSD.ORG Wed Jan 21 12:06:11 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE15C16A4CE for ; Wed, 21 Jan 2004 12:06:11 -0800 (PST) Received: from ns2.alphaque.com (ns2.alphaque.com [202.75.47.153]) by mx1.FreeBSD.org (Postfix) with SMTP id D464443D31 for ; Wed, 21 Jan 2004 12:06:07 -0800 (PST) (envelope-from dinesh@alphaque.com) Received: (qmail 68160 invoked by uid 0); 21 Jan 2004 20:06:05 -0000 Received: from lucifer.net-gw.com (HELO prophet.alphaque.com) (202.75.47.153) by lucifer.net-gw.com with SMTP; 21 Jan 2004 20:06:05 -0000 Received: from localhost (localhost.alphaque.com [127.0.0.1]) by prophet.alphaque.com (8.12.10/8.12.9) with ESMTP id i0LJwIDQ002002; Thu, 22 Jan 2004 03:58:18 +0800 (MYT) (envelope-from dinesh@alphaque.com) Date: Thu, 22 Jan 2004 03:58:18 +0800 (MYT) From: Dinesh Nair To: Adam Seniuk In-Reply-To: <200401211727.i0LHRW56010949@smtp.techweavers.net> Message-ID: <20040122035407.K532-100000@prophet.alphaque.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-questions@freebsd.org Subject: Re: IPFW and Dynamic Rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 20:06:12 -0000 On Wed, 21 Jan 2004, Adam Seniuk wrote: > I keep getting /kernel: Too many dynamic rules, sorry im my log file > several times and i am not sure whats going on I have read some articles > but they are all in 2000 and for FreeBSD 4.0. from the ipfw(4) man page: net.inet.ip.fw.dyn_max: 8192 Maximum number of dynamic rules. When you hit this limit, no more dynamic rules can be installed until old ones expire. seems like you're hitting this limit with too many keep-state rules in your ipfw ruleset. try trimming them down a little, by adding in specific reverse packet flow rules. for eg, # allow dns queries out to the world allow udp from me to any 53 keep-state out could be split to # allow dns queries out to the world allow udp from me to any 53 out # allow incoming dns responses allow udp from any 53 to me in Regards, /\_/\ "All dogs go to heaven." dinesh@alphaque.com (0 0) http://www.alphaque.com/ +==========================----oOO--(_)--OOo----==========================+ | for a in past present future; do | | for b in clients employers associates relatives neighbours pets; do | | echo "The opinions here in no way reflect the opinions of my $a $b." | | done; done | +=========================================================================+