Date: Wed, 22 Aug 2007 11:21:54 -0400 From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> To: Grant Peel <gpeel@thenetnow.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW Questions. Message-ID: <44mywjd27h.fsf@be-well.ilk.org> In-Reply-To: <037d01c7e32b$0c8d3c70$6501a8c0@GRANT> (Grant Peel's message of "Mon\, 20 Aug 2007 09\:07\:23 -0400") References: <037d01c7e32b$0c8d3c70$6501a8c0@GRANT>
next in thread | previous in thread | raw e-mail | index | archive | help
"Grant Peel" <gpeel@thenetnow.com> writes: > I was wondering what the concensus is on using dynamic rules in IPFW. Every once in a while, I suppose there is a DoS attaclk that causes me to see hundreds of: > > +ipfw: install_state: Too many dynamic rules > > in my security log. > > I am sure i read somewhere that many people are skipping the dynamic rules and just relying on the line by line rules. > > You thoughts please. You shouldn't allow people outside the network to invoke a dynamic rule; that's a limited resource that they can overwhelm, as you see. Usual practice is to set up state only on already-confirmed connections; in my case, that means only outbound packets that didn't match any previous state. > Any while your up, does anyone really know what this means? > > ipfw: pullup failed > > I dont see that often maybe 1 or 2 times a month. A "pullup" is just advancing deeper into the packet. If it failed, that probably means the packet was too short. Truncated packets can happen for a number of benign reasons, but if they happen frequently they're probably a sign of a problem in your network equipment. By "frequently" I mean several orders of magnitude more than you're seeing them. Don't worry about it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44mywjd27h.fsf>