From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 29 19:04:57 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5BA3106566C for ; Wed, 29 Jun 2011 19:04:57 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 7C1B08FC0C for ; Wed, 29 Jun 2011 19:04:57 +0000 (UTC) Received: by qyk38 with SMTP id 38so1056075qyk.13 for ; Wed, 29 Jun 2011 12:04:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.44.74 with SMTP id z10mr811003qce.213.1309372488883; Wed, 29 Jun 2011 11:34:48 -0700 (PDT) Received: by 10.229.226.131 with HTTP; Wed, 29 Jun 2011 11:34:48 -0700 (PDT) In-Reply-To: <1309345132620-4534755.post@n5.nabble.com> References: <1309345132620-4534755.post@n5.nabble.com> Date: Wed, 29 Jun 2011 11:34:48 -0700 Message-ID: From: Michael Sierchio To: franck Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org Subject: Re: using tables = ipfw: ipfw_install_state: Too many dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 19:04:57 -0000 If table 2 contains a blacklist, why not deny traffic at the top? Why are you silently dropping fragmented TCP packets? This will break Path MTU discovery. Why do you have a check-state rule after rule 500? That's backwards. You might consider putting check-state at the beginning. You don't want to explicitly permit tcp established - that's done by the dynamic rules. This one rule may be the culprit, but the rest of your rules need improvement too. ;-) Are you running services on 80,443,747 on this host? Or another internal host? Rule 500 is broken, because TCP works differently from ICMP and UDP, and you only want to use the keep-state directive on packets with the SYN bit set. Even if you have only one interface, 'out' is ambiguous - best to specify the interface. You don't need the 'me' rules, since 'any' includes me. Try something like the following (pretend your external interface is 'eth0'= ): allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any deny ip from table\(2\) to any check-state deny tcp from any to any established allow tcp from any to any dst-port 80,443,747 in recv eth0 setup keep-state allow tcp from table\(1\) to any in recv eth0 setup keep-state allow udp from table\(1\) to any in recv eth0 keep-state allow icmp from table\(1\) to any in recv eth0 keep-state allow tcp from any to any out xmit eth0 setup keep-state allow udp from any to any out xmit eth0 keep-state allow icmp from any to any out xmit eth0 keep-state deny log logamount 1000 ip from any to any On Wed, Jun 29, 2011 at 3:58 AM, franck wrote: > Hi, > > On a new FreeBSD 8.2 server, ipfw complains of too many dynamic rules as > traffic increases. > e.g. =A0"ipfw: ipfw_install_state: Too many dynamic rules") > > Is the following set of rules too complex? What would be the best/generic > approach to setup ipfw for a standard web server? Any recommendations? > > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny tcp from any to any frag > 00500 allow ip from table(1) to any keep-state > 00600 check-state > 00700 allow tcp from any to any established > 00800 allow ip from any to any out keep-state > 00900 allow icmp from any to any > 01000 allow udp from me to any dst-port 53 keep-state > 01100 allow udp from me to any dst-port 123 keep-state > 01200 allow tcp from any to any dst-port 747 setup keep-state > 01300 deny ip from table(2) to any > 20000 allow tcp from any to any dst-port 80,443 setup keep-state > 20100 deny log logamount 1000 ip from any to any > 65535 deny ip from any to any > > Note that: > - table 1: holds whitelist of IPs > - table 2: holds blacklist of IPs > > Regards, > Franck > > -- > View this message in context: http://freebsd.1045724.n5.nabble.com/using-= tables-ipfw-ipfw-install-state-Too-many-dynamic-rules-tp4534755p4534755.htm= l > Sent from the freebsd-ipfw mailing list archive at Nabble.com. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >