From owner-freebsd-stable@FreeBSD.ORG Sat Dec 9 15:59:16 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 71EB816A569 for ; Sat, 9 Dec 2006 15:59:16 +0000 (UTC) (envelope-from adrenalinup@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1161943C9F for ; Sat, 9 Dec 2006 15:58:10 +0000 (GMT) (envelope-from adrenalinup@gmail.com) Received: by nf-out-0910.google.com with SMTP id x37so1390574nfc for ; Sat, 09 Dec 2006 07:59:14 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=gtfidmeDuFCmCVVCjKfr2JlGxu1dgKk5y/tm46Tmic/OIMfwwDcep0AJQlfz9U6/hpGtdlSX/Qp15Y7Hdg7zHlU+ziZabiONrV6m7rIo5QeZE0NwvFc0HC2FoKPgb3+aLV/q/IOKZ0btRt0OfX6JXBvQ2OJU3zMGethPDUmPemQ= Received: by 10.82.139.17 with SMTP id m17mr231543bud.1165679953702; Sat, 09 Dec 2006 07:59:13 -0800 (PST) Received: by 10.82.159.9 with HTTP; Sat, 9 Dec 2006 07:59:13 -0800 (PST) Message-ID: Date: Sat, 9 Dec 2006 17:59:13 +0200 From: "Nicolae Namolovan" To: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: [ipfw] Dynamic rules grow indefinitely.. X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Dec 2006 15:59:16 -0000 It is a web server with ~130req/s, problems seem to start after upgrading to a new hardware. FreeBSD 6.1-RELEASE-p10 Right now: ipfw -d list | wc -l 4338 After a hour it will grow more and more.. The day before yesterday I got 20 000 dynamic rules ;o) (I was forced to increase net.inet.ip.fw.dyn_max because I start to got errors in syslogs). To reset them I was forced to flush and reload all rules.. Also in some strange way, random ips get banned ;] I suspect this is because of that bug in dynamic list because after flush, with the same rules all works right. Here is my firewall rules: http://pastebin.ca/273074 Kernel config: http://pastebin.ca/273077 In kernell Enabled: ULE scheduler(I read somewhere what mysql works better with it)), option IPFIREWALL Disabed: INET6, NFS*, COMPAT_FREEBSD4, COMPAT_FREEBSD5, AHC_REG_PRETTY_PRINT, AHD_REG_PRETTY_PRINT Also I get lots of 0s in ipfw -d list 00160 0 0 (0s) PARENT 5 tcp 86.106.209.238 0 <-> 0.0.0.0 0 00160 0 0 (0s) PARENT 1 tcp 212.0.211.241 0 <-> 0.0.0.0 0 00160 0 0 (0s) PARENT 3 tcp 86.106.210.242 0 <-> 0.0.0.0 0 .. Currently from 4363, 646 is with (0s).. Is that normal ? (I have very small experience and don't have acces to another server to see if it's normal or not..) By the way, what mean "3" from "PARENT 3" ? Here is a dump of ipfw -d list with 6410 dynamics, got yesterday before a ipfw flush http://pastebin.ca/273087 -- Best regards, Nicolae Namolovan.