Date: Wed, 29 Jun 2011 03:58:52 -0700 (PDT) From: franck <freebsd@ouarz.net> To: freebsd-ipfw@freebsd.org Subject: using tables = ipfw: ipfw_install_state: Too many dynamic rules Message-ID: <1309345132620-4534755.post@n5.nabble.com>
next in thread | raw e-mail | index | archive | help
Hi, On a new FreeBSD 8.2 server, ipfw complains of too many dynamic rules as traffic increases. e.g. "ipfw: ipfw_install_state: Too many dynamic rules") Is the following set of rules too complex? What would be the best/generic approach to setup ipfw for a standard web server? Any recommendations? 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny tcp from any to any frag 00500 allow ip from table(1) to any keep-state 00600 check-state 00700 allow tcp from any to any established 00800 allow ip from any to any out keep-state 00900 allow icmp from any to any 01000 allow udp from me to any dst-port 53 keep-state 01100 allow udp from me to any dst-port 123 keep-state 01200 allow tcp from any to any dst-port 747 setup keep-state 01300 deny ip from table(2) to any 20000 allow tcp from any to any dst-port 80,443 setup keep-state 20100 deny log logamount 1000 ip from any to any 65535 deny ip from any to any Note that: - table 1: holds whitelist of IPs - table 2: holds blacklist of IPs Regards, Franck -- View this message in context: http://freebsd.1045724.n5.nabble.com/using-tables-ipfw-ipfw-install-state-Too-many-dynamic-rules-tp4534755p4534755.html Sent from the freebsd-ipfw mailing list archive at Nabble.com.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1309345132620-4534755.post>