Date: Thu, 22 Jan 2004 03:58:18 +0800 (MYT) From: Dinesh Nair <dinesh@alphaque.com> To: Adam Seniuk <adams@techweavers.net> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW and Dynamic Rules Message-ID: <20040122035407.K532-100000@prophet.alphaque.com> In-Reply-To: <200401211727.i0LHRW56010949@smtp.techweavers.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 21 Jan 2004, Adam Seniuk wrote:
> I keep getting /kernel: Too many dynamic rules, sorry im my log file
> several times and i am not sure whats going on I have read some articles
> but they are all in 2000 and for FreeBSD 4.0.
from the ipfw(4) man page:
net.inet.ip.fw.dyn_max: 8192
Maximum number of dynamic rules. When you hit this limit, no
more dynamic rules can be installed until old ones expire.
seems like you're hitting this limit with too many keep-state rules in
your ipfw ruleset. try trimming them down a little, by adding in specific
reverse packet flow rules.
for eg,
# allow dns queries out to the world
allow udp from me to any 53 keep-state out
could be split to
# allow dns queries out to the world
allow udp from me to any 53 out
# allow incoming dns responses
allow udp from any 53 to me in
Regards, /\_/\ "All dogs go to heaven."
dinesh@alphaque.com (0 0) http://www.alphaque.com/
+==========================----oOO--(_)--OOo----==========================+
| for a in past present future; do |
| for b in clients employers associates relatives neighbours pets; do |
| echo "The opinions here in no way reflect the opinions of my $a $b." |
| done; done |
+=========================================================================+
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040122035407.K532-100000>