Date: Fri, 17 Sep 2004 09:41:32 -0500 From: Norm Vilmer <norm@etherealconsulting.com> To: Micheal Patterson <micheal@tsgincorporated.com> Cc: freebsd-questions@freebsd.org Subject: Re: Too many dynamic rules, sorry Message-ID: <414AF79C.4030809@etherealconsulting.com> In-Reply-To: <020b01c49c76$e3d1ada0$0201a8c0@dredster> References: <414A6E9C.4060708@etherealconsulting.com> <020b01c49c76$e3d1ada0$0201a8c0@dredster>
next in thread | previous in thread | raw e-mail | index | archive | help
Micheal Patterson wrote: > . > > > ----- Original Message ----- From: "Norm Vilmer" > <norm@etherealconsulting.com> > To: <freebsd-questions@freebsd.org> > Sent: Thursday, September 16, 2004 11:57 PM > Subject: Too many dynamic rules, sorry > > >> If I repeatedly nmap my FreeBSD 4.10 machine configured with ipfirewall, >> I get the message "Too many dynamic rules, sorry". Doing a sysctl -a >> |grep ip.fw I can see the the net.inet.ip.fw.dyn_count has reached the >> max value of 8192 that I set. The net.inet.ip.fw.dyn_ack_lifetime is set >> to 300, so the dynamic rule count starts going down after about 5 >> minutes after the simulated attack. >> >> Questions: >> >> When this happens, if my firewall still fully operational, in other >> words can I safely ignore this message? >> >> Is there a way to fix this? >> > > > The error "Too many dynamic rules, sorry" will cause the system to drop > any packets that are covered by a keep-state entry. So, the firewall, > while operational, is in a dead lock down state for any outbound traffic > until the dynamic rules clear out. I'm hoping that you're checking the > system with nmap from behind it, because if your outside the firewall, > then you're keeping state in inbound traffic and that's bad. You only > want keep-state from traffic leaving that system, not to it. > > -- > > Micheal Patterson > TSG Network Administration > 405-917-0600 > > Confidentiality Notice: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply e-mail and destroy all > copies of the original message > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > Thanks for your help. I was running nmap against my public or outside interface. This is my first FreeBSD firewall, so I am sure my rules are not optimal, however, the firewall appears to be doing what I want. I gathered these rules from a number of how-to's and postings on the web with only a partial understanding of what they actually do (yes, I know, problem # 1). Here are the rules that I have that keep-state on the outside interface: #For DNS add 01300 pass udp from ${oip} to any 53 keep-state # For NTP add 01400 pass udp from ${oip} to any 123 keep-state # For VPN add 01500 pass gre from any to any keep-state # For ICMP add 01600 pass icmp from any to any via ${oip} keep-state Do you think these are causing the problem? Norm Vilmer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414AF79C.4030809>