Date: Sat, 9 Dec 2006 17:59:13 +0200 From: "Nicolae Namolovan" <adrenalinup@gmail.com> To: freebsd-stable@freebsd.org Subject: [ipfw] Dynamic rules grow indefinitely.. Message-ID: <f027bef40612090759t77b620al6973e372c4bd0d09@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
It is a web server with ~130req/s, problems seem to start after
upgrading to a new hardware.
FreeBSD 6.1-RELEASE-p10
Right now:
ipfw -d list | wc -l
4338
After a hour it will grow more and more.. The day before yesterday I
got 20 000 dynamic rules ;o) (I was forced to increase
net.inet.ip.fw.dyn_max because I start to got errors in syslogs).
To reset them I was forced to flush and reload all rules..
Also in some strange way, random ips get banned ;] I suspect this is
because of that bug in dynamic list because after flush, with the same
rules all works right.
Here is my firewall rules: http://pastebin.ca/273074
Kernel config: http://pastebin.ca/273077
In kernell Enabled: ULE scheduler(I read somewhere what mysql works
better with it)), option IPFIREWALL
Disabed: INET6, NFS*, COMPAT_FREEBSD4, COMPAT_FREEBSD5,
AHC_REG_PRETTY_PRINT, AHD_REG_PRETTY_PRINT
Also I get lots of 0s in ipfw -d list
00160 0 0 (0s) PARENT 5 tcp 86.106.209.238 0 <-> 0.0.0.0 0
00160 0 0 (0s) PARENT 1 tcp 212.0.211.241 0 <-> 0.0.0.0 0
00160 0 0 (0s) PARENT 3 tcp 86.106.210.242 0 <-> 0.0.0.0 0
..
Currently from 4363, 646 is with (0s).. Is that normal ? (I have very
small experience and don't have acces to another server to see if it's
normal or not..)
By the way, what mean "3" from "PARENT 3" ?
Here is a dump of ipfw -d list with 6410 dynamics, got yesterday
before a ipfw flush http://pastebin.ca/273087
--
Best regards,
Nicolae Namolovan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f027bef40612090759t77b620al6973e372c4bd0d09>