Date: Tue, 20 Mar 2001 11:51:13 -0300 From: "Pablo Bendersky" <pbendersky@itineri.com> To: <freebsd-questions@freebsd.org> Subject: Too many dynamic rules Message-ID: <JPEAKMLHKPBJHAEBDFIEAEEHCDAA.pbendersky@itineri.com>
next in thread | raw e-mail | index | archive | help
Hi ! I'm getting this error on my firewall: /kernel: Too many dynamic rules, sorry My rules are as follows: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00500 deny ip from any to 10.0.0.0/8 via xl1 00600 deny ip from any to 172.16.0.0/12 via xl1 00700 deny ip from any to 192.168.0.0/16 via xl1 00800 deny ip from any to 0.0.0.0/8 via xl1 00900 deny ip from any to 169.254.0.0/16 via xl1 01000 deny ip from any to 192.0.2.0/24 via xl1 01100 deny ip from any to 224.0.0.0/4 via xl1 01200 deny ip from any to 240.0.0.0/4 via xl1 01300 divert 8668 ip from any to any 01400 deny ip from 10.0.0.0/8 to any via xl1 01500 deny ip from 172.16.0.0/12 to any via xl1 01600 deny ip from 192.168.0.0/16 to any via xl1 01700 deny ip from 0.0.0.0/8 to any via xl1 01800 deny ip from 169.254.0.0/16 to any via xl1 01900 deny ip from 192.0.2.0/24 to any via xl1 02000 deny ip from 224.0.0.0/4 to any via xl1 02100 deny ip from 240.0.0.0/4 to any via xl1 02200 check-state 02300 allow ip from any to any frag 02400 allow ip from any to any keep-state 65535 deny ip from any to any As you can see, it's a very open firewall. I'm not sure why do I need the keep-state, and the check-state. I've seen (I think) that without using it I cannot use the active FTP, is it right ? Or I can just replace the rules 2200 and 2400 for 2400 allow ip from any to any and that is ? Thanks a lot ! Pablo Bendersky pbendersky@itineri.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?JPEAKMLHKPBJHAEBDFIEAEEHCDAA.pbendersky>