From owner-freebsd-ipfw@FreeBSD.ORG  Tue Sep 27 19:28:34 2011
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 268221065670
	for <freebsd-ipfw@freebsd.org>; Tue, 27 Sep 2011 19:28:34 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from asmtpout030.mac.com (asmtpout030.mac.com [17.148.16.105])
	by mx1.freebsd.org (Postfix) with ESMTP id 0C3A38FC13
	for <freebsd-ipfw@freebsd.org>; Tue, 27 Sep 2011 19:28:33 +0000 (UTC)
MIME-version: 1.0
Content-type: text/plain; charset=iso-8859-1
Received: from cswiger1.apple.com ([17.209.4.71])
	by asmtp030.mac.com (Oracle Communications Messaging Server 7u4-23.01
	(7.0.4.23.0) 64bit (built Aug 10 2011))
	with ESMTPSA id <0LS700HFK1Z4GL30@asmtp030.mac.com> for
	freebsd-ipfw@freebsd.org; Tue, 27 Sep 2011 11:28:16 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure
	engine=2.50.10432:5.4.6813,1.0.211,0.0.0000
	definitions=2011-09-27_09:2011-09-27, 2011-09-27,
	1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
	ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0
	classifier=spam
	adjust=0 reason=mlx scancount=1 engine=6.0.2-1012030000
	definitions=main-1109270199
From: Chuck Swiger <cswiger@mac.com>
In-reply-to: <201109271958.29919.remy.sanchez@hyperthese.net>
Date: Tue, 27 Sep 2011 11:28:15 -0700
Content-transfer-encoding: quoted-printable
Message-id: <F97D0858-A51D-4FA6-88EB-722389A25A4A@mac.com>
References: <201109271958.29919.remy.sanchez@hyperthese.net>
To: =?iso-8859-1?Q?R=E9my_Sanchez?= <remy.sanchez@hyperthese.net>
X-Mailer: Apple Mail (2.1084)
Cc: freebsd-ipfw@freebsd.org
Subject: Re: Random freezes
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2011 19:28:34 -0000

Hi--

On Sep 27, 2011, at 10:57 AM, R=E9my Sanchez wrote:
> The only solution we have so far : we just reload the rules, and =
everything=20
> gets back to normal. Which is a bit unpleasant I must say...
>=20
> So, I've fallen short of ideas, does anyone see why some rules just =
block like=20
> that ? Maybe we should move to the in-kernel NAT ?

Sounds like you're running out of dynamic rule entries.

Check net.inet.ip.fw.dyn_count sysctl and increase =
net.inet.ip.fw.dyn_max as needed.  Also consider not using stateful =
rules for UDP traffic like DNS and NTP if at all possible...

Regards,
--=20
-Chuck