From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 29 11:17:44 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A0C9106566C for ; Wed, 29 Jun 2011 11:17:44 +0000 (UTC) (envelope-from freebsd@ouarz.net) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) by mx1.freebsd.org (Postfix) with ESMTP id ED7688FC14 for ; Wed, 29 Jun 2011 11:17:43 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1QbsTs-00027V-KG for freebsd-ipfw@freebsd.org; Wed, 29 Jun 2011 03:58:52 -0700 Date: Wed, 29 Jun 2011 03:58:52 -0700 (PDT) From: franck To: freebsd-ipfw@freebsd.org Message-ID: <1309345132620-4534755.post@n5.nabble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: using tables = ipfw: ipfw_install_state: Too many dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 11:17:44 -0000 Hi, On a new FreeBSD 8.2 server, ipfw complains of too many dynamic rules as traffic increases. e.g. "ipfw: ipfw_install_state: Too many dynamic rules") Is the following set of rules too complex? What would be the best/generic approach to setup ipfw for a standard web server? Any recommendations? 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny tcp from any to any frag 00500 allow ip from table(1) to any keep-state 00600 check-state 00700 allow tcp from any to any established 00800 allow ip from any to any out keep-state 00900 allow icmp from any to any 01000 allow udp from me to any dst-port 53 keep-state 01100 allow udp from me to any dst-port 123 keep-state 01200 allow tcp from any to any dst-port 747 setup keep-state 01300 deny ip from table(2) to any 20000 allow tcp from any to any dst-port 80,443 setup keep-state 20100 deny log logamount 1000 ip from any to any 65535 deny ip from any to any Note that: - table 1: holds whitelist of IPs - table 2: holds blacklist of IPs Regards, Franck -- View this message in context: http://freebsd.1045724.n5.nabble.com/using-tables-ipfw-ipfw-install-state-Too-many-dynamic-rules-tp4534755p4534755.html Sent from the freebsd-ipfw mailing list archive at Nabble.com.