From owner-freebsd-questions Thu Feb 21 13:30:43 2002 Delivered-To: freebsd-questions@freebsd.org Received: from 72oot.net (72oot.net [216.122.237.142]) by hub.freebsd.org (Postfix) with ESMTP id 2ED9B37B41B for ; Thu, 21 Feb 2002 13:30:33 -0800 (PST) Received: from c1529030-a.attbi.com (12-228-93-249.client.attbi.com [12.228.93.249]) by 72oot.net (8.11.0/8.11.0) with SMTP id g1LLU1U64141; Thu, 21 Feb 2002 21:30:02 GMT (envelope-from warm@72oot.net) Content-Type: text/plain; charset="iso-8859-1" From: 72yan M To: "C J Michaels" , Subject: Re: ipfw: Too many dynamic rules, sorry Date: Thu, 21 Feb 2002 13:33:32 -0800 X-Mailer: KMail [version 1.2] References: <3175.216.153.201.211.1014322964.squirrel@www1.27in.tv> In-Reply-To: <3175.216.153.201.211.1014322964.squirrel@www1.27in.tv> MIME-Version: 1.0 Message-Id: <02022113333200.74706@c1529030-a.attbi.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > FreeBSD 4.5-STABLE FreeBSD 4.5-STABLE #6: Tue Jan 29 22:51:31 EST 2002 > > Hello, > > I am periodically getting the following error in my syslog: > Feb 21 01:02:46 cartman /kernel: Too many dynamic rules, sorry > > I currently have the following sysctl set: > net.inet.ip.fw.dyn_buckets=512 > > ...which seems like more than enough dyn buckets to me. To give you some > background, this machine is currently on a 2 machine network, acting as the > firewall/router (nat)/etc... The 2nd machine was not turned on at all > yesterday, more specifically, I was sleeping at 1:02am. > > Either way, I can't seem to find any cron jobs that run at or around that > time, nor can I find any records of someone logging in. Barring intrusion, > because I don't believe that's the issue, it's more likely a typo in my > firewall.conf as I have several services running on the box. > > My questions are: > 1. What's a good number for "net.inet.ip.fw.dyn_buckets"? I could just > keep tweaking it up until I stop getting the error, but I'm curious what > the pro/cons are of setting this number too high, and what too high would > be. Does anyone have any experience with this? Dos attack of your running services/ dynamic rules. I use 256 dyn_buckets, but I also cut dyn_ack_lifetime to 60 from 300. > > 2. Any suggestions on how I can track down what may be generating so many > dynamic rules? To give you a contrast now, ipfw lists _no_ dynamic rules. You could add a cron job to print '#ipfw show' to a text file every so often and then review the output file. > > Any assistance in getting started on this would be appreciated. > > Thanks, > -- > Chris > > "I'll defend to the death your right to say that, but I never said I'd > listen to it!" > -- Tom Galloway with apologies to Voltaire > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message