From owner-freebsd-questions Thu Feb 21 14:24:30 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.27in.tv (roc-66-24-112-7.rochester.rr.com [66.24.112.7]) by hub.freebsd.org (Postfix) with ESMTP id C47E437B442 for ; Thu, 21 Feb 2002 14:24:18 -0800 (PST) Received: (from root@localhost) by mail.27in.tv (8.11.6/8.11.6) id g1LMOGp17917; Thu, 21 Feb 2002 17:24:16 -0500 (EST) (envelope-from cjm2@earthling.net) Received: from 27in.tv (roc-66-24-112-7.rochester.rr.com [66.24.112.7]) by mail.27in.tv (8.11.6/8.11.6av) with SMTP id g1LMOBK17643; Thu, 21 Feb 2002 17:24:11 -0500 (EST) (envelope-from cjm2@earthling.net) Received: from 216.153.201.211 (SquirrelMail authenticated user cjm2) by www1.27in.tv with HTTP; Thu, 21 Feb 2002 17:24:11 -0500 (EST) Message-ID: <3598.216.153.201.211.1014330251.squirrel@www1.27in.tv> Date: Thu, 21 Feb 2002 17:24:11 -0500 (EST) Subject: Re: ipfw: Too many dynamic rules, sorry From: "C J Michaels" To: In-Reply-To: <02022113333200.74706@c1529030-a.attbi.com> References: <02022113333200.74706@c1529030-a.attbi.com> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: X-Mailer: SquirrelMail (version 1.2.5 [cvs]) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Some time in the recent past 72yan M scribbled: > <<<...snip...>>> >> My questions are: >> 1. What's a good number for "net.inet.ip.fw.dyn_buckets"? I could >> just keep tweaking it up until I stop getting the error, but I'm >> curious what the pro/cons are of setting this number too high, and >> what too high would be. Does anyone have any experience with this? > > Dos attack of your running services/ dynamic rules. > Wouldn't that require the DoS to be coming from inside my box, as outgoing packets are the ones that generate the dynamic rules, not incoming? > I use 256 dyn_buckets, but I also cut dyn_ack_lifetime to 60 from 300. (I'm sure this doesn't help but) I bumped mine up to 600 'cause my ssh sessions kept terminating abruptly if I didn't pay attn to them for 5 minutes. Despite this, there must have been some usage spike over the course of those 10 minutes to generate the error. > >> >> 2. Any suggestions on how I can track down what may be generating so >> many dynamic rules? To give you a contrast now, ipfw lists _no_ >> dynamic rules. > > You could add a cron job to print '#ipfw show' to a text file every so > often and then review the output file. Did you mean "ipfw show" or "ipfw -d list"? Either way, a periodic cron job is a good idea, I hadn't even thought of that. Thanks. Appreciate the help. -- Chris "I'll defend to the death your right to say that, but I never said I'd listen to it!" -- Tom Galloway with apologies to Voltaire To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message