From owner-freebsd-questions@FreeBSD.ORG  Thu Jan 27 04:09:34 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 356A516A4CE
	for <freebsd-questions@freebsd.org>;
	Thu, 27 Jan 2005 04:09:34 +0000 (GMT)
Received: from ms-smtp-04.rdc-kc.rr.com (ms-smtp-04.rdc-kc.rr.com
	[24.94.166.116])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B950043D4C
	for <freebsd-questions@freebsd.org>;
	Thu, 27 Jan 2005 04:09:33 +0000 (GMT)
	(envelope-from bbayorgeon@new.rr.com)
Received: from Marshal (CPE-67-48-249-79.new.rr.com [67.48.249.79])
	j0R3wuxH017297	for <freebsd-questions@freebsd.org>;
	Wed, 26 Jan 2005 21:59:02 -0600 (CST)
From: "Brian" <bbayorgeon@new.rr.com>
To: <freebsd-questions@freebsd.org>
Date: Wed, 26 Jan 2005 22:09:22 -0600
Message-ID: <000001c50425$fbdccda0$4402000a@Marshal>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4024
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Subject: kernel: drop session, too many entries - errors with statefull ipfw
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2005 04:09:34 -0000



Trying to find the source of the following error messages.
It is not quite obvious why I am getting so many dynamic
rules.  This is a small private home LAN with 
FreeBSD 5.3-RELEASE.

These errors can crop up even during times when no one is
cruising the internet on the various clients.

I even boosted 'net.inet.ip.fw.dyn_max: 15000' and still
happens

Any thoughts would be appreciated.

Thanks
Brian



LOG FILE

Jan 25 19:12:36 xx kernel: drop session, too many entries
Jan 25 19:13:46 xx kernel: drop session, too many entries
Jan 25 19:16:26 xx last message repeated 2 times
Jan 25 19:33:58 xx last message repeated 5 times
Jan 25 20:01:55 xx kernel: drop session, too many entries
Jan 25 20:01:58 xx kernel: drop session, too many entries
Jan 25 20:03:15 xx kernel: drop session, too many entries
Jan 25 20:12:00 xx last message repeated 3 times
Jan 26 08:41:10 xx kernel: drop session, too many entries
Jan 26 10:46:37 xx kernel: drop session, too many entries
Jan 26 10:46:45 xx kernel: drop session, too many entries

SYSCTL OUTPUT

sysctl -a | grep ip.fw 
net.inet.ip.fw.enable: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 1
net.inet.ip.fw.verbose_limit: 100
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 0
net.inet.ip.fw.dyn_max: 15000
net.inet.ip.fw.static_count: 47
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_keepalive: 1

ipfw show output 

00002  95 15384 allow ip from any to any via de0
00003   0     0 allow ip from any to any via lo0
00100   1   338 divert 8668 ip from any to any in via ex0
00101   0     0 check-state
00120   0     0 skipto 500 udp from any to any dst-port 53 out via ex0
keep-state
00122   0     0 skipto 500 log logamount 1000 udp from any to 10.x.x.x
dst-port 67 out via keep-state
00125   0     0 skipto 500 tcp from any to any dst-port
22,25,43,80,443,110,119,11000-12000 out via ex0 setup keep-state
00130   0     0 skipto 500 icmp from any to any out via ex0 keep-state
00135   0     0 skipto 500 log logamount 1000 udp from any to any
dst-port 123 out via ex0 keep-state
00150   1   338 allow log logamount 1000 udp from 10.x.x.x to any
dst-port 68 in via ex0 keep-state
00300   0     0 deny log logamount 1000 ip from 192.168.0.0/16 to any in
via ex0
00301   0     0 deny log logamount 1000 ip from 172.16.0.0/12 to any in
via ex0
00302   0     0 deny log logamount 1000 ip from 10.0.0.0/8 to any in via
ex0
00303   0     0 deny log logamount 1000 ip from 127.0.0.0/8 to any in
via ex0
00304   0     0 deny log logamount 1000 ip from 0.0.0.0/8 to any in via
ex0
00305   0     0 deny log logamount 1000 ip from 169.254.0.0/16 to any in
via ex0
00306   0     0 deny log logamount 1000 ip from 192.0.2.0/24 to any in
via ex0
00307   0     0 deny log logamount 1000 ip from 204.152.64.0/23 to any
in via ex0
00308   0     0 deny log logamount 1000 ip from 224.0.0.0/3 to any in
via ex0
00310   0     0 deny log logamount 1000 tcp from any to any dst-port 113
in via ex0
00311   0     0 deny log logamount 1000 icmp from any to any in via ex0
icmptypes 8
00315   0     0 deny log logamount 1000 ip from any to any in frag
00320   0     0 deny log logamount 1000 tcp from any to any dst-port
137,138,139,81 in via ex0
00330   0     0 deny log logamount 1000 ip from any to any frag in via
ex0
00340   0     0 deny log logamount 1000 tcp from any to any established
in via ex0
00420   0     0 allow log logamount 1000 tcp from any to me dst-port 80
in via ex0 setup limit src-addr 2
00421   0     0 allow log logamount 1000 tcp from any to me dst-port 22
in via ex0 setup limit src-addr 2
00450   0     0 deny log logamount 10000 ip from any to any
00500   0     0 divert 8668 ip from any to any out via ex0
00510   0     0 allow ip from any to any
00999   0     0 deny log logamount 1000 ip from any to any
65535 112  9464 allow ip from any to any