Date: Fri, 10 Sep 2010 14:08:06 +0200 From: Ivan Voras <ivoras@freebsd.org> To: freebsd-stable@freebsd.org Subject: Re: ipfw: Too many dynamic rules Message-ID: <i6d736$h9r$1@dough.gmane.org> In-Reply-To: <20100909153902.GA28341@lordcow.org>
index | next in thread | previous in thread | raw e-mail
On 09/09/10 17:39, Gareth de Vaux wrote: > Hi again, I use some keep-state rules in ipfw, but get the following > kernel message: > > kernel: ipfw: install_state: Too many dynamic rules > > when presumably my state table reaches its limit (and I effectively > get DoS'd). > > netstat shows tons of connections in FIN_WAIT_2 state, mostly to > my webserver. Consequently net.inet.ip.fw.dyn_count is large too. > > I can increase my net.inet.ip.fw.dyn_max but the new limit will > simply be reached later on. For what it's worth, here's what I've been running: net.inet.ip.fw.dyn_buckets=1024 net.inet.ip.fw.dyn_max=8192 net.inet.ip.fw.dyn_ack_lifetime=60 If in a tight spot, I might reduce dyn_ack_lifetime to 10. There is no way this machine would service 8192 legitimate simultaneous connections so this works for me. If you have the memory I think you can increase dyn_max practically arbitrarily. If under a DDoS attack, you might run out of some other resource, like ephemeral TCP ports for the server side of connections, before running out of ipfw entries.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?i6d736$h9r$1>