From owner-freebsd-security Mon Nov 12 2:12:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from axel.truedestiny.net (b76168.upc-b.chello.nl [212.83.76.168]) by hub.freebsd.org (Postfix) with ESMTP id 1210F37B417; Mon, 12 Nov 2001 02:11:42 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mars.thuis (Postfix) with ESMTP id 7AF3249A24; Fri, 9 Nov 2001 10:32:50 +0100 (CET) Received: by mars.thuis (Postfix, from userid 1000) id 01F7849A23; Fri, 9 Nov 2001 10:32:46 +0100 (CET) Date: Fri, 9 Nov 2001 10:32:46 +0100 From: Axel Scheepers To: setantae Cc: questions@freebsd.org, security@freebsd.org Subject: Re: too many dynamic rules Message-ID: <20011109103246.B27252@mars.thuis> Reply-To: Axel Scheepers References: <20011108201207.GA49594@rhadamanth> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011108201207.GA49594@rhadamanth>; from setantae@submonkey.net on Thu, Nov 08, 2001 at 08:12:07PM +0000 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, The man page of ipfw says: net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 The configured and current size of the hash table used to hold dynamic rules. This must be a power of 2. The table can only= be resized when empty, so in order to resize it on the fly you wi= ll probably have to flush and reload the ruleset. These are the standard kernel variabeles for the hash table size, In your c= onfig you should increase these values until you don't get the messages anymore. But, It wont't do any harm to look with tcpdump what is causing the state t= able to overflow, since these rules should be discarded after a while, and it looks like that= doesn't happen. I myself use ipf/ipnat so I'm not so familliar with ipfw ruleset, maybe som= eone can find something weird in these what is causing that ? You can set these values using sysctl -w net.inet.ip.fw.dyn_buckets=3D and sysctl -w net.inet.ip.fw.curr_dyn_buckets=3D. Keep in mind= that this can't=20 be done when the firewall is running, so you should flush it first, apply t= he changes and load the rules again. Hope this helps, Axel On Thu, Nov 08, 2001 at 08:12:07PM +0000, setantae wrote: > Date: Thu, 8 Nov 2001 20:12:07 +0000 > From: setantae > To: questions@freebsd.org, security@freebsd.org > Subject: too many dynamic rules >=20 >=20 > Can't find anything in the archives at MARC, and not sure which list > I should be talking to, so please set followups appropriately if it > bothers you. >=20 > For approximately 18 seconds today my firewall went apesh*t=20 > (these are all relevant entries) : >=20 > Nov 8 14:47:45 rhadamanth /kernel: Too many dynamic rules, sorry > Nov 8 14:47:45 rhadamanth natd[218]: failed to write packet back (Permis= sion denied) Stripped down a bit ... >=20 > At the time there was only one user logged onto the box, and no clients > behind the firewall - unfortunately I have no idea what I was doing at the > time, although I have been upgrading older ports today (cannot find any > files that were created at the times above though). >=20 > This box is a dual piii-866 with 512mb of ram, doesn't do much and > has maxusers set to 128. >=20 > The other interesting thing is that although dynamic rules are still being > created (since I can access stuff from another box on the LAN), > ipfw -at l no longer shows them. >=20 The Ruleset: >=20 > ## Deny fragments > add 00105 deny all from any to any frag >=20 > #### 00110 Unprotect the LAN interface > add 00110 allow all from any to any via dc0 >=20 > #### 00200 Stop RFC 1918 traffic > #add 00201 pass udp from 172.16.0.0/12 to any 68 in via ed0 > #add 00201 pass udp from 172.17.39.254 to any 68 in via ed0 >=20 > add 00202 deny log all from any to 10.0.0.0/8 > add 00203 deny log all from 10.0.0.0/8 to any >=20 > add 00204 deny log all from any to 172.16.0.0/12 > add 00205 deny log all from 172.16.0.0/12 to any >=20 > #add 00206 deny log all from 192.168.0.0/16 to any in via ed0 > #add 00207 deny log all from any to 192.168.0.0/16 in via ed0 >=20 > add 00206 divert natd all from any to any via ed0 >=20 > add 00207 pass all from 192.168.10.0/24 to any via ed0 > add 00208 pass all from any to 192.168.10.0/24 via ed0 > add 00209 deny log all from any to 192.168.0.0/16 via ed0 > add 00210 deny log all from 192.168.0.0/16 to any via ed0 >=20 > #### 00400 Check state and allow tcp connections created by us. > add 00400 check-state > add 00401 allow tcp from any to any out keep-state > #add 00402 deny log tcp from any to any in established > add 00403 allow udp from any to any 53 keep-state > add 00404 allow udp from any to any out >=20 > ##NTP > add 00421 allow udp from 130.88.200.98 123 to any > add 00422 allow udp from 130.88.203.12 123 to any >=20 > #### 00500 DHCP stuff > add 00501 allow udp from 62.252.32.3 to any 68 in via ed0 >=20 > #### 00600 ICMP stuff > # path-mtu > add 00600 allow icmp from any to any icmptypes 3 > # source quench > add 00601 allow icmp from any to any icmptypes 4 > #ping > add 00602 allow icmp from any to any icmptypes 8 out > add 00603 allow icmp from any to any icmptypes 0 in > #traceroute > add 00604 allow icmp from any to any icmptypes 11 in >=20 > #### 00700 Services we want to make available. > add 00701 allow tcp from any to any 22 > add 00702 allow tcp from 194.168.4.200 to any 113 > #add 00703 allow tcp from any to any 21 out >=20 > #### 65000 And deny everything else. > add 65007 deny log ip from any to any --=20 Axel Scheepers UNIX System Administrator email: axel@axel.truedestiny.net ascheepers@vianetworks.nl http://axel.truedestiny.net/~axel ------------------------------------------ In America, any boy may become president and I suppose that's just one of the risks he takes. -- Adlai Stevenson ------------------------------------------ --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUBO+uist0okna45S+TAQG58Af6AsdPfB7Lo4ACARgD2gNG1RGbfmblHXZt HuTBxjebgCh6+fOB4cfse+NcPTfOqgX9zgvS+iYvSyTctzAQuTT8/q6i171HinZH BZHSvEokszkKrVlpapJ3BZY4VdZyba+3kSzBr1EAvTEo8w3YBIczO+Vg1OfWJ+Ps i4qIayqrVzkgJUGEoagobd1Xlk3JsbNC/1t1/1jEaxBGK+MyJCDxlF19xZpDOJwh Qgi1HwlAIER/bgEtOMxCHLJ9dPYIYl7uCpy0kUULWdaHKHZD0J9PJdRIfmyhXXlv ZyuNryJ1QFXQLv41NbBgncTEtLYPpK42XovdSuscEwc7ADX1IwYwXQ== =sCJq -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message