From owner-freebsd-questions Tue Mar 20 6:50: 6 2001 Delivered-To: freebsd-questions@freebsd.org Received: from aardvark.itineri-sa (host132093.metrored.net.ar [200.59.132.93]) by hub.freebsd.org (Postfix) with ESMTP id BD70C37B719 for ; Tue, 20 Mar 2001 06:49:58 -0800 (PST) (envelope-from pbendersky@itineri.com) Received: from rafa (rafa.itineri-sa [192.168.0.50]) by aardvark.itineri-sa (8.9.3/8.8.7) with SMTP id LAA17011 for ; Tue, 20 Mar 2001 11:47:48 -0400 From: "Pablo Bendersky" To: Subject: Too many dynamic rules Date: Tue, 20 Mar 2001 11:51:13 -0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi ! I'm getting this error on my firewall: /kernel: Too many dynamic rules, sorry My rules are as follows: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00500 deny ip from any to 10.0.0.0/8 via xl1 00600 deny ip from any to 172.16.0.0/12 via xl1 00700 deny ip from any to 192.168.0.0/16 via xl1 00800 deny ip from any to 0.0.0.0/8 via xl1 00900 deny ip from any to 169.254.0.0/16 via xl1 01000 deny ip from any to 192.0.2.0/24 via xl1 01100 deny ip from any to 224.0.0.0/4 via xl1 01200 deny ip from any to 240.0.0.0/4 via xl1 01300 divert 8668 ip from any to any 01400 deny ip from 10.0.0.0/8 to any via xl1 01500 deny ip from 172.16.0.0/12 to any via xl1 01600 deny ip from 192.168.0.0/16 to any via xl1 01700 deny ip from 0.0.0.0/8 to any via xl1 01800 deny ip from 169.254.0.0/16 to any via xl1 01900 deny ip from 192.0.2.0/24 to any via xl1 02000 deny ip from 224.0.0.0/4 to any via xl1 02100 deny ip from 240.0.0.0/4 to any via xl1 02200 check-state 02300 allow ip from any to any frag 02400 allow ip from any to any keep-state 65535 deny ip from any to any As you can see, it's a very open firewall. I'm not sure why do I need the keep-state, and the check-state. I've seen (I think) that without using it I cannot use the active FTP, is it right ? Or I can just replace the rules 2200 and 2400 for 2400 allow ip from any to any and that is ? Thanks a lot ! Pablo Bendersky pbendersky@itineri.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message