From owner-freebsd-ipfw@FreeBSD.ORG  Mon May 26 18:30:44 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A502D37B401
	for <freebsd-ipfw@freebsd.org>; Mon, 26 May 2003 18:30:44 -0700 (PDT)
Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3F01543F3F
	for <freebsd-ipfw@freebsd.org>; Mon, 26 May 2003 18:30:43 -0700 (PDT)
	(envelope-from on@cs.ait.ac.th)
Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5])
	by mail.cs.ait.ac.th (8.12.3/8.9.3) with ESMTP id h4R1UYgC012742
	for <freebsd-ipfw@freebsd.org>; Tue, 27 May 2003 08:30:41 +0700 (ICT)
Received: (from on@localhost)
	by banyan.cs.ait.ac.th (8.8.5/8.8.5) id IAA02341;
	Tue, 27 May 2003 08:32:10 +0700 (ICT)
Date: Tue, 27 May 2003 08:32:10 +0700 (ICT)
Message-Id: <200305270132.IAA02341@banyan.cs.ait.ac.th>
X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to
	on@banyan.cs.ait.ac.th using -f
From: Olivier Nicole <on@cs.ait.ac.th>
To: freebsd-ipfw@freebsd.org
X-Virus-Scanned: by amavisd-milter (http://amavis.org/)
Subject: Strange count of dynamic rules
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2003 01:30:45 -0000

Hi,

I am trying to install a standalone firewall between my LAN and my
router to outside world.

And I am puzzled with the number of dynamic rules that are installed.

firewall<root>125: ipfw -d list | grep "<->" | wc
    1849   20651  157940

tells me that there are 1849 dynamic rules (both active and expired)

but:

firewall<root>127: sysctl net.inet.ip.fw.dyn_count
net.inet.ip.fw.dyn_count: 15910

tells me that there are 15910 dynamic rules. 

So where is the truth? Or is that something I missunderstand?

Problem is that net.inet.ip.fw.dyn_count will never count down and
reach the limit of 65535 very soon (coupleof hours), and then nothing
can get through.

BTW, I am running FreeBSD 4.8 with IPFW2

Best regards,

Olivier