Date: Tue, 15 Jul 2003 16:04:31 +0200 From: Radko Keves <rado@studnet.sk> To: Administrator Assistant <assist@inbox.lv> Cc: questions@FreeBSD.org Subject: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=278021+0+archive/2002/freebsd-current/20020825.freebsd-current Message-ID: <20030715140431.GA69096@studnet.sk> In-Reply-To: <1058270124.3f13ebac7c513@www1.inbox.lv> References: <1058270124.3f13ebac7c513@www1.inbox.lv>
next in thread | previous in thread | raw e-mail | index | archive | help
;), Tue, Jul 15, 2003 at 02:55:24PM +0300, Administrator Assistant said that
> Hello, Radko!
>
> I have the same trouble on my hosting machine. All was ok until... I don't know
> what... The same:
>
> Jul 15 14:22:00 lena /usr/sbin/cron[768]: (operator) CMD (/usr/libexec/save-
> entropy)
> Jul 15 14:22:26 lena kernel: drop session, too many entries
> Jul 15 14:23:22 lena syslogd: restart
> Jul 15 14:23:22 lena syslogd: kernel boot file is /boot/kernel/kernel
>
> I have tried to do:
> /sbin/ipfw add 1500 allow log tcp from any to ${ip} dst-port 80 limit src-addr 4
> but I think it doesn't help here... In fact without "log" options it reboots...
>
> Tried to double count of:
> # cat /etc/sysctl.conf | grep dyn_max
> net.inet.ip.fw.dyn_max=8192
>
> But it's also how I see doesn't help...
> # uname -rs
> FreeBSD 5.0-RELEASE
>
> IF YOU HAVE SOLVED THIS PROBLEM OR KNOW WHO CAN, PLEASE FORWARD THIS MAIL TO
> HIM AND MAIL ME BACK YOUR ANSWER!
>
> P.S. Please mail this to freebsd mailing list too...
>
> --
> With best regards, Maksims Korzanovs aka TiM
> tim@mpe.lv
hi
do you try to read mailing list ?
-
D. Penev <dpenev@mail.bg>, 20 Aug 2002:
this kernel message means that you have reached the limit of sessions
per ipfw rule that was set with limit option.
-
-
and now my part :)
for example:
ipfw add 4300 allow all from any to me setup limit src-addr 4
-
part of man:
If the ruleset includes one or more rules with the keep-state or limit
option, then ipfw assumes a stateful behaviour, i.e. upon a match
it will create dynamic rules matching the exact parameters (addresses and
ports) of the matching packet.
These dynamic rules, which have a limited lifetime, are checked at
the first occurrence of a check-state, keep-state or limit rule, and
are typically used to open the firewall on-demand to legitimate traffic
only.
See the STATEFUL FIREWALL and EXAMPLES Sections below for more
information on the stateful behaviour of ipfw.
-
again part of man:
Dynamic rules expire after some time, which depends on the status
of the flow and the setting of some sysctl variables. See Section SYSCTL
VARIABLES for more details. For TCP sessions, dynamic rules can be
instructed to periodically send keepalive packets to refresh the
state of the rule when it is about to expire.
...
A first and efficient way to limit access (not using dynamic rules)
is the use of the following rules:
ipfw add allow tcp from any to any established
ipfw add allow tcp from net1 portlist1 to net2 portlist2 setup
ipfw add allow tcp from net3 portlist3 to net3 portlist3 setup
...
ipfw add deny tcp from any to any
-
If you use dynamic rules don't forget use:
ipfw add check-state
--
have a nice day
-
R
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030715140431.GA69096>