Date: Fri, 10 Sep 2004 21:57:32 +0200 (CEST) From: "Martin" <bts@iae.nl> To: "Ben Bentsen" <freebsd@usww.com>, "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Re: kernel: ipfw: install_state: Too many dynamic rules Message-ID: <200409102157.3439103.6@btsoftware.com> In-Reply-To: <4141F8E0.8060700@usww.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Assume, the rule numbering in the email is a typo, only in this email and not in your actual rules. Personally, I would guard my keep-state rule a bit. This way, all incoming garbage is tried to be passed to somewhere, occupying a keep-state rule position, even if there's no real destination. Or so to say, if somebody bombs your system with garbage TCP connect attemps, your ipfw will go through its knees. My suggestion would be to have the keep-state rule limited to outgoing connections from your internal addresses. Martin. On Fri, 10 Sep 2004 14:56:32 -0400, Ben Bentsen wrote: >Hello group, > >Can any shed a little light on the following error messages. I have >spent a great deal of time looking at what is running at about >9:30am-9:45am and have found nothing that I can pin to these errors. No >cron jobs are running anywhere even close to the time. TCPdump does not >shed any light either. This machine has only one purpose to pass, count, >limit and deny packets to a network Only SSH and FTP services are >enabled on this machine. What conditions case this message maybe I am >looking in the wrong place. > >INET ---- This Machine --- Catalyst 2820 ------ 14 computer units > >Aug 7 09:41:34 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 10 09:41:207206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 13 09:41:31 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 15 09:41:29 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 15 09:41:30 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 15 10:41:23 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 17 09:40:50 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 20 09:35:35 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 23 09:35:17 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 27 09:35:33 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 31 09:35:31 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 1 09:35:29 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 2 09:35:24 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 3 09:34:58 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 5 09:35:06 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 6 09:34:41 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 7 09:35:00 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 7 09:35:33 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 8 09:34:34 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 9 09:34:41 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 10 09:34:59 7206 /kernel: ipfw: install_state: Too many dynamic rules > > >I am using FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE #0 with IPFW2 >compiled in and all the IPV6 compiled out. The firewall is pretty generic: > >/etc/rc.local >sysctl net.link.ether.bridge_cfg=rl0:0,rl1:0 >sysctl net.link.ether.bridge_ipfw=1 >sysctl net.link.ether.bridge=1 > >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 0 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 1 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 2 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 3 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 4 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 5 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 6 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 7 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 8 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 9 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 10 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 11 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 12 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 13 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 14 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 15 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 16 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 17 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 18 >ipfw -q add 00009 count log logamount 1000 icmp from any to any > >ipfw -q add 50 deny log logamount 10000 ip from any to any 135 >ipfw -q add 50 deny log logamount 10000 ip from any to any 445 >ipfw -q add 50 deny log logamount 10000 ip from any to any 139 > >ipfw -q add 00020 deny log logamount 10000 ip from any to any in frag >ipfw -q add 00020 deny log logamount 10000 tcp from any to any in frag >ipfw -q add 00020 deny log logamount 10000 udp from any to any in frag >ipfw -q add 00020 deny log logamount 10000 icmp from any to any in frag > >for i in (Several Mac Addresses) >do >ipfw -q add 100 count mac $i 00:e0:a3:1f:f0:2b >ipfw -q add 100 count mac 00:e0:a3:1f:f0:2b $i >done > >ipfw -q add 150 pipe 1 tcp from 216.104.X.X 20,21,25,80,110 to any;ipfw >pipe 1 config bw 450Kbit/s >ipfw -q add 151 pipe 2 tcp from 216.104.X.X 554,4040,5050,6763,7070,8080 >to any;ipfw pipe 2 config bw 384kbit/s > >ipfw -q add 200 check-state > >ipfw -q add 275 count all from any to any keep-state > >ipfw -q add 302 drop all from 172.16.0.0/12 to any in via rl0 >ipfw -q add 304 drop all from 192.168.0.0/16 to any in via rl0 > >ipfw -q add 01150 deny log logamount 10000 ip from any to any in frag >ipfw -q add 01150 deny log logamount 10000 tcp from any to any in frag >ipfw -q add 01150 deny log logamount 10000 udp from any to any in frag >ipfw -q add 01150 deny log logamount 10000 icmp from any to any in frag > > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409102157.3439103.6>