Date: Thu, 8 Nov 2001 20:12:07 +0000 From: setantae <setantae@submonkey.net> To: questions@freebsd.org, security@freebsd.org Subject: too many dynamic rules Message-ID: <20011108201207.GA49594@rhadamanth>
next in thread | raw e-mail | index | archive | help
--UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Can't find anything in the archives at MARC, and not sure which list I should be talking to, so please set followups appropriately if it bothers you. For approximately 18 seconds today my firewall went apesh*t (these are all relevant entries) : Nov 8 14:47:45 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:45 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:45 rhadamanth last message repeated 15 times Nov 8 14:47:46 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:46 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:46 rhadamanth last message repeated 23 times Nov 8 14:47:47 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:47 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:47 rhadamanth last message repeated 14 times Nov 8 14:47:48 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:48 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:48 rhadamanth last message repeated 6 times Nov 8 14:47:49 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:49 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:49 rhadamanth last message repeated 11 times Nov 8 14:47:50 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:50 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:50 rhadamanth last message repeated 2 times Nov 8 14:47:51 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:51 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:51 rhadamanth last message repeated 2 times Nov 8 14:47:53 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:53 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:47:53 rhadamanth last message repeated 17 times Nov 8 14:47:59 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:47:59 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:48:00 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:48:00 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:48:00 rhadamanth last message repeated 2 times Nov 8 14:48:01 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:48:01 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:48:01 rhadamanth last message repeated 2 times Nov 8 14:48:02 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:48:02 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:48:02 rhadamanth last message repeated 2 times Nov 8 14:48:03 rhadamanth /kernel: Too many dynamic rules, sorry Nov 8 14:48:03 rhadamanth natd[218]: failed to write packet back (Permission denied) Nov 8 14:48:03 rhadamanth last message repeated 2 times At the time there was only one user logged onto the box, and no clients behind the firewall - unfortunately I have no idea what I was doing at the time, although I have been upgrading older ports today (cannot find any files that were created at the times above though). This box is a dual piii-866 with 512mb of ram, doesn't do much and has maxusers set to 128. The other interesting thing is that although dynamic rules are still being created (since I can access stuff from another box on the LAN), ipfw -at l no longer shows them. I'm sure that a reboot would fix this, but if there is a bug then I'd rather not do that until I know what information would help to fix it. My ruleset is very small, so I have attached it. Basically, what caused this, how do I stop it happening again, and why doesn't ``ipfw -at l'' show the dynamic rules anymore ? Thanks, Ceri -- keep a mild groove on --UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipfw.rules" ## Deny fragments add 00105 deny all from any to any frag #### 00110 Unprotect the LAN interface add 00110 allow all from any to any via dc0 #### 00200 Stop RFC 1918 traffic #add 00201 pass udp from 172.16.0.0/12 to any 68 in via ed0 #add 00201 pass udp from 172.17.39.254 to any 68 in via ed0 add 00202 deny log all from any to 10.0.0.0/8 add 00203 deny log all from 10.0.0.0/8 to any add 00204 deny log all from any to 172.16.0.0/12 add 00205 deny log all from 172.16.0.0/12 to any #add 00206 deny log all from 192.168.0.0/16 to any in via ed0 #add 00207 deny log all from any to 192.168.0.0/16 in via ed0 add 00206 divert natd all from any to any via ed0 add 00207 pass all from 192.168.10.0/24 to any via ed0 add 00208 pass all from any to 192.168.10.0/24 via ed0 add 00209 deny log all from any to 192.168.0.0/16 via ed0 add 00210 deny log all from 192.168.0.0/16 to any via ed0 #### 00400 Check state and allow tcp connections created by us. add 00400 check-state add 00401 allow tcp from any to any out keep-state #add 00402 deny log tcp from any to any in established add 00403 allow udp from any to any 53 keep-state add 00404 allow udp from any to any out ##NTP add 00421 allow udp from 130.88.200.98 123 to any add 00422 allow udp from 130.88.203.12 123 to any #### 00500 DHCP stuff add 00501 allow udp from 62.252.32.3 to any 68 in via ed0 #### 00600 ICMP stuff # path-mtu add 00600 allow icmp from any to any icmptypes 3 # source quench add 00601 allow icmp from any to any icmptypes 4 #ping add 00602 allow icmp from any to any icmptypes 8 out add 00603 allow icmp from any to any icmptypes 0 in #traceroute add 00604 allow icmp from any to any icmptypes 11 in #### 00700 Services we want to make available. add 00701 allow tcp from any to any 22 add 00702 allow tcp from 194.168.4.200 to any 113 #add 00703 allow tcp from any to any 21 out #### 65000 And deny everything else. add 65007 deny log ip from any to any --UugvWAfsgieZRqgk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011108201207.GA49594>