Date: Fri, 17 Sep 2004 09:50:34 -0500 From: "Micheal Patterson" <micheal@tsgincorporated.com> To: "Norm Vilmer" <norm@etherealconsulting.com> Cc: freebsd-questions@freebsd.org Subject: Re: Too many dynamic rules, sorry Message-ID: <06af01c49cc5$b0b615b0$4df24243@tsgincorporated.com> References: <414A6E9C.4060708@etherealconsulting.com><020b01c49c76$e3d1ada0$0201a8c0@dredster> <414AF79C.4030809@etherealconsulting.com>
next in thread | previous in thread | raw e-mail | index | archive | help
. ----- Original Message ----- From: "Norm Vilmer" <norm@etherealconsulting.com> To: "Micheal Patterson" <micheal@tsgincorporated.com> Cc: <freebsd-questions@freebsd.org> Sent: Friday, September 17, 2004 9:41 AM Subject: Re: Too many dynamic rules, sorry > Micheal Patterson wrote: > > . > > > > > > ----- Original Message ----- From: "Norm Vilmer" > > <norm@etherealconsulting.com> > > To: <freebsd-questions@freebsd.org> > > Sent: Thursday, September 16, 2004 11:57 PM > > Subject: Too many dynamic rules, sorry > > > > > >> If I repeatedly nmap my FreeBSD 4.10 machine configured with ipfirewall, > >> I get the message "Too many dynamic rules, sorry". Doing a sysctl -a > >> |grep ip.fw I can see the the net.inet.ip.fw.dyn_count has reached the > >> max value of 8192 that I set. The net.inet.ip.fw.dyn_ack_lifetime is set > >> to 300, so the dynamic rule count starts going down after about 5 > >> minutes after the simulated attack. > >> > >> Questions: > >> > >> When this happens, if my firewall still fully operational, in other > >> words can I safely ignore this message? > >> > >> Is there a way to fix this? > >> > > > > > > The error "Too many dynamic rules, sorry" will cause the system to drop > > any packets that are covered by a keep-state entry. So, the firewall, > > while operational, is in a dead lock down state for any outbound traffic > > until the dynamic rules clear out. I'm hoping that you're checking the > > system with nmap from behind it, because if your outside the firewall, > > then you're keeping state in inbound traffic and that's bad. You only > > want keep-state from traffic leaving that system, not to it. > > > > -- > > > > Micheal Patterson > > TSG Network Administration > > 405-917-0600 > > > > Confidentiality Notice: This e-mail message, including any attachments, > > is for the sole use of the intended recipient(s) and may contain > > confidential and privileged information. Any unauthorized review, use, > > disclosure or distribution is prohibited. If you are not the intended > > recipient, please contact the sender by reply e-mail and destroy all > > copies of the original message > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > > Thanks for your help. > > I was running nmap against my public or outside interface. This is my > first FreeBSD firewall, so I am sure my rules are not optimal, however, > the firewall appears to be doing what I want. I gathered these rules > from a number of how-to's and postings on the web with only a partial > understanding of what they actually do (yes, I know, problem # 1). > Here are the rules that I have that keep-state on the outside interface: > > #For DNS > add 01300 pass udp from ${oip} to any 53 keep-state > # For NTP > add 01400 pass udp from ${oip} to any 123 keep-state > # For VPN > add 01500 pass gre from any to any keep-state > # For ICMP > add 01600 pass icmp from any to any via ${oip} keep-state > > Do you think these are causing the problem? > > Norm Vilmer I don't recall if you're running ipfilter or ipfw on that system. I don't know ipfilter well enough to assist yet, but with ipfw, if you have a check-state entry above your keep-states, that may reduce the amount of dynamic rule entries that you'll have. What the check-state does, is to check the dynamic list, if an entry already exists, it stops processing rules there. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?06af01c49cc5$b0b615b0$4df24243>