Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Sep 2004 15:50:05 -0000
From:      Axel Scheepers <axel@axel.truedestiny.net>
To:        dwbear75@gmail.com
Cc:        security@FreeBSD.ORG
Subject:   Re: too many dynamic rules
Message-ID:  <20011109103246.B27252@mars.thuis>
In-Reply-To: <"from setantae"@submonkey.net>
References:  <20011108201207.GA49594@rhadamanth>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello,
The man page of ipfw says:
	net.inet.ip.fw.dyn_buckets: 256

     	net.inet.ip.fw.curr_dyn_buckets: 256
             The configured and current size of the hash table used to hold
             dynamic rules.  This must be a power of 2.  The table can only=
 be
             resized when empty, so in order to resize it on the fly you wi=
ll
             probably have to flush and reload the ruleset.

These are the standard kernel variabeles for the hash table size, In your c=
onfig you should
increase these values until you don't get the messages anymore.
But, It wont't do any harm to look with tcpdump what is causing the state t=
able to overflow,
since these rules should be discarded after a while, and it looks like that=
 doesn't happen.
I myself use ipf/ipnat so I'm not so familliar with ipfw ruleset, maybe som=
eone can find
something weird in these what is causing that ?

You can set these values using sysctl -w net.inet.ip.fw.dyn_buckets=3D<your=
 value here> and
sysctl -w net.inet.ip.fw.curr_dyn_buckets=3D<your value here>. Keep in mind=
 that this can't=20
be done when the firewall is running, so you should flush it first, apply t=
he changes and load
the rules again.

Hope this helps,
Axel

On Thu, Nov 08, 2001 at 08:12:07PM +0000, setantae wrote:
> Date: Thu, 8 Nov 2001 20:12:07 +0000
> From: setantae <setantae@submonkey.net>
> To: questions@freebsd.org, security@freebsd.org
> Subject: too many dynamic rules
>=20
>=20
> Can't find anything in the archives at MARC, and not sure which list
> I should be talking to, so please set followups appropriately if it
> bothers you.
>=20
> For approximately 18 seconds today my firewall went apesh*t=20
>  (these are all relevant entries) :
>=20
> Nov  8 14:47:45 rhadamanth /kernel: Too many dynamic rules, sorry
> Nov  8 14:47:45 rhadamanth natd[218]: failed to write packet back (Permis=
sion denied)
Stripped down a bit ...
>=20
> At the time there was only one user logged onto the box, and no clients
> behind the firewall - unfortunately I have no idea what I was doing at the
> time, although I have been upgrading older ports today (cannot find any
> files that were created at the times above though).
>=20
> This box is a dual piii-866 with 512mb of ram, doesn't do much and
> has maxusers set to 128.
>=20
> The other interesting thing is that although dynamic rules are still being
> created (since I can access stuff from another box on the LAN),
> ipfw -at l no longer shows them.
>=20

The Ruleset:
>=20
> ## Deny fragments
> add 00105 deny all from any to any frag
>=20
> #### 	00110 Unprotect the LAN interface
> add 00110 allow all from any to any via dc0
>=20
> ####	00200 Stop RFC 1918 traffic
> #add 00201 pass udp from 172.16.0.0/12 to any 68 in via ed0
> #add 00201 pass udp from 172.17.39.254 to any 68 in via ed0
>=20
> add 00202 deny log all from any to 10.0.0.0/8
> add 00203 deny log all from 10.0.0.0/8 to any
>=20
> add 00204 deny log all from any to 172.16.0.0/12
> add 00205 deny log all from 172.16.0.0/12 to any
>=20
> #add 00206 deny log all from 192.168.0.0/16 to any in via ed0
> #add 00207 deny log all from any to 192.168.0.0/16 in via ed0
>=20
> add 00206 divert natd all from any to any via ed0
>=20
> add 00207 pass all from 192.168.10.0/24 to any via ed0
> add 00208 pass all from any to 192.168.10.0/24 via ed0
> add 00209 deny log all from any to 192.168.0.0/16 via ed0
> add 00210 deny log all from 192.168.0.0/16 to any via ed0
>=20
> ####	00400 Check state and allow tcp connections created by us.
> add 00400 check-state
> add 00401 allow tcp from any to any out keep-state
> #add 00402 deny log tcp from any to any in established
> add 00403 allow udp from any to any 53 keep-state
> add 00404 allow udp from any to any out
>=20
> ##NTP
> add 00421 allow udp from 130.88.200.98 123 to any
> add 00422 allow udp from 130.88.203.12 123 to any
>=20
> ####    00500 DHCP stuff
> add 00501 allow udp from 62.252.32.3 to any 68 in via ed0
>=20
> ####	00600 ICMP stuff
> # path-mtu
> add 00600 allow icmp from any to any icmptypes 3
> # source quench
> add 00601 allow icmp from any to any icmptypes 4
> #ping
> add 00602 allow icmp from any to any icmptypes 8 out
> add 00603 allow icmp from any to any icmptypes 0 in
> #traceroute
> add 00604 allow icmp from any to any icmptypes 11 in
>=20
> ####	00700 Services we want to make available.
> add 00701 allow tcp from any to any 22
> add 00702 allow tcp from 194.168.4.200 to any 113
> #add 00703 allow tcp from any to any 21 out
>=20
> ####	65000 And deny everything else.
> add 65007 deny log ip from any to any


--=20
Axel Scheepers
UNIX System Administrator

email: axel@axel.truedestiny.net
       ascheepers@vianetworks.nl
http://axel.truedestiny.net/~axel
------------------------------------------
In America, any boy may become president and I suppose that's just one
of the risks he takes.
		-- Adlai Stevenson
------------------------------------------

--G4iJoqBmSsgzjUCe
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQEVAwUBO+uist0okna45S+TAQG58Af6AsdPfB7Lo4ACARgD2gNG1RGbfmblHXZt
HuTBxjebgCh6+fOB4cfse+NcPTfOqgX9zgvS+iYvSyTctzAQuTT8/q6i171HinZH
BZHSvEokszkKrVlpapJ3BZY4VdZyba+3kSzBr1EAvTEo8w3YBIczO+Vg1OfWJ+Ps
i4qIayqrVzkgJUGEoagobd1Xlk3JsbNC/1t1/1jEaxBGK+MyJCDxlF19xZpDOJwh
Qgi1HwlAIER/bgEtOMxCHLJ9dPYIYl7uCpy0kUULWdaHKHZD0J9PJdRIfmyhXXlv
ZyuNryJ1QFXQLv41NbBgncTEtLYPpK42XovdSuscEwc7ADX1IwYwXQ==
=sCJq
-----END PGP SIGNATURE-----

--G4iJoqBmSsgzjUCe--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20011109103246.B27252>