From owner-freebsd-questions@freebsd.org Fri Jan 22 00:30:04 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6C05C4E5559 for ; Fri, 22 Jan 2021 00:30:04 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DMKsR46M9z3h8n for ; Fri, 22 Jan 2021 00:30:03 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-lf1-x134.google.com with SMTP id q12so5151186lfo.12 for ; Thu, 21 Jan 2021 16:30:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1NaBtqnJz9bFD1hbJYZcFKG0Ts+eov3hpfDt+Ut2G0o=; b=dvEnpIeX9jcc8T3oHK4FxZsE1ako7xxp1YNfBiWT/3vNhQ7A59iE3NZjwFNmmUUa/Y p88QnA6qwkRGna/Y4rxX19mN4LhGOH6QZc5M1KzOtqFVrVvX9MW0I80bAH5EWBJEDDqC slttmAxQx+AROMjbVnIcfu3hakWTBxhBP1b1lKG62OICTy3isv1xpbice4Y2K6Aqh0pR 4gbsXguhGcoD+13USAFtU0J5+l52/DJLQ7LjmUpFh6w5NlzS5bWzi+XtKpCEh3dhlzUx MB1AR7+qPXqhRMtNGmEk09xhMKwjN5FISNu7ZL6CAkWh7uGM3kRqZqvs2XF986LEOOAa MgGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1NaBtqnJz9bFD1hbJYZcFKG0Ts+eov3hpfDt+Ut2G0o=; b=uU1JA7wAIlNM+k6L1KJg5GOF6qnOP9BuvkXmTyDOiYaVVDaoEDlGHMgfmfvpyaO/SO hgkYPYG7Tx5BqsuwGkStjwtwflUsb2iGnxIq/F/m1yXl+C62vXTQ3cNFCKwR3mzMili6 Ko8fgUJOW7yVK8usDgBDwRbIs5Pdte6QiHqnG6RneB3AsnufHMhU5rGjma9Mv2WxJfZi zkQ2hc+7ShJ6qzKVbb2mO5kwsUUaul8Y63N7HPI3Om3FSbZWLRezWjXk/yZFnbiNsPjh v/biSNJ5ovQcRd2RrOr4npksYAs/hDxrWXL3hxdBwqiXiXg+djCoeJNFqB5klT8ffn8g 0RUw== X-Gm-Message-State: AOAM532GRza0XfFlqSNa8rDaoTsnW47WZxUMASAYkxHxLLvmDltYtsBR b/61nYKuDk7eG0sNW7NjB5GwoUVgYAVZCsNrEiaXHD1I4J3iBZx7 X-Google-Smtp-Source: ABdhPJwiKsmeOspvsSU2c/MidxFrxfcZS/7vZKFFqmAFDbttvlaWa4Y4ExYotKafUiMGFSnxS1sfOYRK+hwuIt/mKAc= X-Received: by 2002:a19:f707:: with SMTP id z7mr170720lfe.548.1611275401578; Thu, 21 Jan 2021 16:30:01 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Michael Sierchio Date: Thu, 21 Jan 2021 16:29:26 -0800 Message-ID: Subject: Re: IPFW | Too many dynamic rules? To: Jos Chrispijn Cc: FreeBSD Mailing List X-Rspamd-Queue-Id: 4DMKsR46M9z3h8n X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tenebras-com.20150623.gappssmtp.com header.s=20150623 header.b=dvEnpIeX; dmarc=none; spf=none (mx1.freebsd.org: domain of kudzu@tenebras.com has no SPF policy when checking 2a00:1450:4864:20::134) smtp.mailfrom=kudzu@tenebras.com X-Spamd-Result: default: False [-0.30 / 15.00]; RCVD_TLS_ALL(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::134:from]; R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com:s=20150623]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[tenebras.com]; NEURAL_SPAM_SHORT(1.00)[1.000]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::134:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::134:from]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2021 00:30:04 -0000 This is affected by a number of things. You ruleset may be faulty, and you may be instantiating dynamic rules when a matching state exists. You may need to separate inbound and outbound traffic in your ruleset. Do you have a check-state rule early in the ruleset? The lifetime of dynamic rules is, by default, way too long. See my values below. In my world, udp is primarily used for DNS queries. 3 seconds is a very long time. A short dyn_ack_lifetime relies on keepalives (in SSH, for example). net.inet.ip.fw.dyn_short_lifetime: 3 net.inet.ip.fw.dyn_udp_lifetime: 3 net.inet.ip.fw.dyn_rst_lifetime: 2 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_syn_lifetime: 9 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_parent_max: 4096 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.dyn_buckets: 2048 On Thu, Jan 21, 2021 at 3:15 PM Jos Chrispijn wrote: > Just ran into this matter (never experienced it until now): > > "Cannot allocate dynamic state, consider increasing net.inet.ip.fw.dyn_ma= x" > > - What can be the cause of this sudden incident? > - Look like ipfw is suddenly processing too many rules? > > Do I have to increase that in /etc/sysctl.conf and with what numbers can > I do that best (depending on my BSD configuration or what is the usual > formule on this)? > > Thanks, Jos > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata