Date: Thu, 21 Jan 2021 16:58:20 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: Jos Chrispijn <bsduser@cloudzeeland.nl> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: IPFW | Too many dynamic rules? Message-ID: <CAHu1Y73ynYG18KcsYcbjazC45g8rchPJppQ8Apja0Fwhsr5fyQ@mail.gmail.com> In-Reply-To: <b567dd97-4e1a-7870-d0f5-c477fc488403@cloudzeeland.nl> References: <e73687db-0f6e-9d45-c9c9-57bbfd1ae8e9@cloudzeeland.nl> <CAHu1Y73Qcz7G2gX1_2zM0nJp_c5qA604Z=U9xxNZL_g_cJNhxA@mail.gmail.com> <b567dd97-4e1a-7870-d0f5-c477fc488403@cloudzeeland.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 21, 2021 at 4:45 PM Jos Chrispijn <bsduser@cloudzeeland.nl> wrote: > Op 22-1-21 om 1:29 schreef Michael Sierchio: > > This is affected by a number of things. You ruleset may be faulty, and > you > > may be instantiating dynamic rules when a matching state exists. You m= ay > > need to separate inbound and outbound traffic in your ruleset. Do you > have > > a check-state rule early in the ruleset? > > Yes, I do (half way my ruleset. > Should I move that line to the top you mean? > It depends. ;-). Near the top. Dynamic rules get checked whenever you reach the check-state, or the first keep-state rule with the same tag (if you don't use a tag, the :default is used). ipfw rulesets can be subtle. More so if nat is involved. > > The lifetime of dynamic rules is, by default, way too long. See my > values > > below. In my world, udp is primarily used for DNS queries. 3 seconds > is a > > very long time. A short dyn_ack_lifetime relies on keepalives (in SSH, > for > > example). > > So I should decrease my numbers, following your's and the issue will be > solved? > I am hesitant to claim that it will solve your problem, but I doubt it can hurt. Yes, those are the values in /etc/sysctl.conf > > Are these also in your /etc/sysctl.conf? > > > net.inet.ip.fw.dyn_short_lifetime: 3 > > net.inet.ip.fw.dyn_udp_lifetime: 3 > > net.inet.ip.fw.dyn_rst_lifetime: 2 > > net.inet.ip.fw.dyn_fin_lifetime: 1 > > net.inet.ip.fw.dyn_syn_lifetime: 9 > > net.inet.ip.fw.dyn_ack_lifetime: 300 > > net.inet.ip.fw.dyn_parent_max: 4096 > > net.inet.ip.fw.dyn_max: 4096 > > net.inet.ip.fw.dyn_buckets: 2048 > > Nub online, sorry. > No apologies required or accepted. ;-). This is sometimes an arcane topic. > > Best, Jos > Vell succes! =E2=80=93 M --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y73ynYG18KcsYcbjazC45g8rchPJppQ8Apja0Fwhsr5fyQ>