Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 Feb 2002 13:33:32 -0800
From:      72yan M <freedom@72oot.net>
To:        "C J Michaels" <cjm2@earthling.net>, <freebsd-questions@FreeBSD.ORG>
Subject:   Re: ipfw: Too many dynamic rules, sorry
Message-ID:  <02022113333200.74706@c1529030-a.attbi.com>
In-Reply-To: <3175.216.153.201.211.1014322964.squirrel@www1.27in.tv>
References:  <3175.216.153.201.211.1014322964.squirrel@www1.27in.tv>

next in thread | previous in thread | raw e-mail | index | archive | help

> FreeBSD 4.5-STABLE FreeBSD 4.5-STABLE #6: Tue Jan 29 22:51:31 EST 2002
>
> Hello,
>
> I am periodically getting the following error in my syslog:
>    Feb 21 01:02:46 cartman /kernel: Too many dynamic rules, sorry
>
> I currently have the following sysctl set:
>    net.inet.ip.fw.dyn_buckets=512
>
> ...which seems like more than enough dyn buckets to me.  To give you some
> background, this machine is currently on a 2 machine network, acting as the
> firewall/router (nat)/etc...  The 2nd machine was not turned on at all
> yesterday, more specifically, I was sleeping at 1:02am.
>
> Either way, I can't seem to find any cron jobs that run at or around that
> time, nor can I find any records of someone logging in.  Barring intrusion,
> because I don't believe that's the issue, it's more likely a typo in my
> firewall.conf as I have several services running on the box.
>
> My questions are:
> 1. What's a good number for "net.inet.ip.fw.dyn_buckets"?  I could just
> keep tweaking it up until I stop getting the error, but I'm curious what
> the pro/cons are of setting this number too high, and what too high would
> be.  Does anyone have any experience with this?

Dos attack of your running services/ dynamic rules.

I use 256 dyn_buckets, but I also cut dyn_ack_lifetime to 60 from 300. 

>
> 2. Any suggestions on how I can track down what may be generating so many
> dynamic rules?  To give you a contrast now, ipfw lists _no_ dynamic rules.

You could add a cron job to print '#ipfw show' to a text file every so often 
and then review the output file. 

>
> Any assistance in getting started on this would be appreciated.
>
> Thanks,
> --
> Chris
>
> "I'll defend to the death your right to say that, but I never said I'd
> listen to it!"
>      -- Tom Galloway with apologies to Voltaire
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?02022113333200.74706>