From owner-freebsd-questions@FreeBSD.ORG Fri Sep 17 15:30:08 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F6CA16A4CE for ; Fri, 17 Sep 2004 15:30:08 +0000 (GMT) Received: from advmail.lsn.net (advmail.lsn.net [66.90.138.148]) by mx1.FreeBSD.org (Postfix) with ESMTP id AEF5C43D2D for ; Fri, 17 Sep 2004 15:30:07 +0000 (GMT) (envelope-from norm@etherealconsulting.com) Received: from etherealconsulting.com (24-155-40-125.ip.grandenetworks.net [24.155.40.125]) by advmail.lsn.net (8.12.8/8.12.4) with ESMTP id i8HFU80A031323; Fri, 17 Sep 2004 10:30:09 -0500 Message-ID: <414B02FD.6020703@etherealconsulting.com> Date: Fri, 17 Sep 2004 10:30:05 -0500 From: Norm Vilmer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Micheal Patterson References: <414A6E9C.4060708@etherealconsulting.com><020b01c49c76$e3d1ada0$0201a8c0@dredster> <414AF79C.4030809@etherealconsulting.com> <06af01c49cc5$b0b615b0$4df24243@tsgincorporated.com> In-Reply-To: <06af01c49cc5$b0b615b0$4df24243@tsgincorporated.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-AntiVirus: checked by Vexira Milter 1.0.6; VAE 6.27.0.10; VDF 6.27.0.66 cc: freebsd-questions@freebsd.org Subject: Re: Too many dynamic rules, sorry X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 15:30:08 -0000 Micheal Patterson wrote: > > . > > > ----- Original Message ----- > From: "Norm Vilmer" > To: "Micheal Patterson" > Cc: > Sent: Friday, September 17, 2004 9:41 AM > Subject: Re: Too many dynamic rules, sorry > > > >>Micheal Patterson wrote: >> >>>. >>> >>> >>>----- Original Message ----- From: "Norm Vilmer" >>> >>>To: >>>Sent: Thursday, September 16, 2004 11:57 PM >>>Subject: Too many dynamic rules, sorry >>> >>> >>> >>>>If I repeatedly nmap my FreeBSD 4.10 machine configured with > > ipfirewall, > >>>>I get the message "Too many dynamic rules, sorry". Doing a sysctl -a >>>>|grep ip.fw I can see the the net.inet.ip.fw.dyn_count has reached the >>>>max value of 8192 that I set. The net.inet.ip.fw.dyn_ack_lifetime is > > set > >>>>to 300, so the dynamic rule count starts going down after about 5 >>>>minutes after the simulated attack. >>>> >>>>Questions: >>>> >>>>When this happens, if my firewall still fully operational, in other >>>>words can I safely ignore this message? >>>> >>>>Is there a way to fix this? >>>> >>> >>> >>>The error "Too many dynamic rules, sorry" will cause the system to drop >>>any packets that are covered by a keep-state entry. So, the firewall, >>>while operational, is in a dead lock down state for any outbound traffic >>>until the dynamic rules clear out. I'm hoping that you're checking the >>>system with nmap from behind it, because if your outside the firewall, >>>then you're keeping state in inbound traffic and that's bad. You only >>>want keep-state from traffic leaving that system, not to it. >>> >>>-- >>> >>>Micheal Patterson >>>TSG Network Administration >>>405-917-0600 >>> >>>Confidentiality Notice: This e-mail message, including any attachments, >>>is for the sole use of the intended recipient(s) and may contain >>>confidential and privileged information. Any unauthorized review, use, >>>disclosure or distribution is prohibited. If you are not the intended >>>recipient, please contact the sender by reply e-mail and destroy all >>>copies of the original message >>>_______________________________________________ >>>freebsd-questions@freebsd.org mailing list >>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>To unsubscribe, send any mail to >>>"freebsd-questions-unsubscribe@freebsd.org" >>> >> >>Thanks for your help. >> >>I was running nmap against my public or outside interface. This is my >>first FreeBSD firewall, so I am sure my rules are not optimal, however, >>the firewall appears to be doing what I want. I gathered these rules >>from a number of how-to's and postings on the web with only a partial >>understanding of what they actually do (yes, I know, problem # 1). >>Here are the rules that I have that keep-state on the outside interface: >> >>#For DNS >>add 01300 pass udp from ${oip} to any 53 keep-state >># For NTP >>add 01400 pass udp from ${oip} to any 123 keep-state >># For VPN >>add 01500 pass gre from any to any keep-state >># For ICMP >>add 01600 pass icmp from any to any via ${oip} keep-state >> >>Do you think these are causing the problem? >> >>Norm Vilmer > > > I don't recall if you're running ipfilter or ipfw on that system. I don't > know ipfilter well enough to assist yet, but with ipfw, if you have a > check-state entry above your keep-states, that may reduce the amount of > dynamic rule entries that you'll have. What the check-state does, is to > check the dynamic list, if an entry already exists, it stops processing > rules there. > > -- > > Micheal Patterson > TSG Network Administration > 405-917-0600 > > Confidentiality Notice: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply e-mail and destroy all > copies of the original message > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > I do have a check-state rule add 00200 check-state Norm Vilmer