From owner-freebsd-questions Thu Feb 21 12:22:53 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.27in.tv (roc-66-24-112-7.rochester.rr.com [66.24.112.7]) by hub.freebsd.org (Postfix) with ESMTP id A3F5C37B404 for ; Thu, 21 Feb 2002 12:22:47 -0800 (PST) Received: (from root@localhost) by mail.27in.tv (8.11.6/8.11.6) id g1LKMjF36979 for freebsd-questions@freebsd.org; Thu, 21 Feb 2002 15:22:45 -0500 (EST) (envelope-from cjm2@earthling.net) Received: from 27in.tv (roc-66-24-112-7.rochester.rr.com [66.24.112.7]) by mail.27in.tv (8.11.6/8.11.6av) with SMTP id g1LKMiK36971 for ; Thu, 21 Feb 2002 15:22:44 -0500 (EST) (envelope-from cjm2@earthling.net) Received: from 216.153.201.211 (SquirrelMail authenticated user cjm2) by www1.27in.tv with HTTP; Thu, 21 Feb 2002 15:22:44 -0500 (EST) Message-ID: <3175.216.153.201.211.1014322964.squirrel@www1.27in.tv> Date: Thu, 21 Feb 2002 15:22:44 -0500 (EST) Subject: ipfw: Too many dynamic rules, sorry From: "C J Michaels" To: X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal X-Mailer: SquirrelMail (version 1.2.5 [cvs]) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG FreeBSD 4.5-STABLE FreeBSD 4.5-STABLE #6: Tue Jan 29 22:51:31 EST 2002 Hello, I am periodically getting the following error in my syslog: Feb 21 01:02:46 cartman /kernel: Too many dynamic rules, sorry I currently have the following sysctl set: net.inet.ip.fw.dyn_buckets=512 ...which seems like more than enough dyn buckets to me. To give you some background, this machine is currently on a 2 machine network, acting as the firewall/router (nat)/etc... The 2nd machine was not turned on at all yesterday, more specifically, I was sleeping at 1:02am. Either way, I can't seem to find any cron jobs that run at or around that time, nor can I find any records of someone logging in. Barring intrusion, because I don't believe that's the issue, it's more likely a typo in my firewall.conf as I have several services running on the box. My questions are: 1. What's a good number for "net.inet.ip.fw.dyn_buckets"? I could just keep tweaking it up until I stop getting the error, but I'm curious what the pro/cons are of setting this number too high, and what too high would be. Does anyone have any experience with this? 2. Any suggestions on how I can track down what may be generating so many dynamic rules? To give you a contrast now, ipfw lists _no_ dynamic rules. Any assistance in getting started on this would be appreciated. Thanks, -- Chris "I'll defend to the death your right to say that, but I never said I'd listen to it!" -- Tom Galloway with apologies to Voltaire To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message