Date: Wed, 26 Jan 2005 22:09:22 -0600 From: "Brian" <bbayorgeon@new.rr.com> To: <freebsd-questions@freebsd.org> Subject: kernel: drop session, too many entries - errors with statefull ipfw Message-ID: <000001c50425$fbdccda0$4402000a@Marshal>
next in thread | raw e-mail | index | archive | help
Trying to find the source of the following error messages. It is not quite obvious why I am getting so many dynamic rules. This is a small private home LAN with FreeBSD 5.3-RELEASE. These errors can crop up even during times when no one is cruising the internet on the various clients. I even boosted 'net.inet.ip.fw.dyn_max: 15000' and still happens Any thoughts would be appreciated. Thanks Brian LOG FILE Jan 25 19:12:36 xx kernel: drop session, too many entries Jan 25 19:13:46 xx kernel: drop session, too many entries Jan 25 19:16:26 xx last message repeated 2 times Jan 25 19:33:58 xx last message repeated 5 times Jan 25 20:01:55 xx kernel: drop session, too many entries Jan 25 20:01:58 xx kernel: drop session, too many entries Jan 25 20:03:15 xx kernel: drop session, too many entries Jan 25 20:12:00 xx last message repeated 3 times Jan 26 08:41:10 xx kernel: drop session, too many entries Jan 26 10:46:37 xx kernel: drop session, too many entries Jan 26 10:46:45 xx kernel: drop session, too many entries SYSCTL OUTPUT sysctl -a | grep ip.fw net.inet.ip.fw.enable: 1 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 100 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 0 net.inet.ip.fw.dyn_max: 15000 net.inet.ip.fw.static_count: 47 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_keepalive: 1 ipfw show output 00002 95 15384 allow ip from any to any via de0 00003 0 0 allow ip from any to any via lo0 00100 1 338 divert 8668 ip from any to any in via ex0 00101 0 0 check-state 00120 0 0 skipto 500 udp from any to any dst-port 53 out via ex0 keep-state 00122 0 0 skipto 500 log logamount 1000 udp from any to 10.x.x.x dst-port 67 out via keep-state 00125 0 0 skipto 500 tcp from any to any dst-port 22,25,43,80,443,110,119,11000-12000 out via ex0 setup keep-state 00130 0 0 skipto 500 icmp from any to any out via ex0 keep-state 00135 0 0 skipto 500 log logamount 1000 udp from any to any dst-port 123 out via ex0 keep-state 00150 1 338 allow log logamount 1000 udp from 10.x.x.x to any dst-port 68 in via ex0 keep-state 00300 0 0 deny log logamount 1000 ip from 192.168.0.0/16 to any in via ex0 00301 0 0 deny log logamount 1000 ip from 172.16.0.0/12 to any in via ex0 00302 0 0 deny log logamount 1000 ip from 10.0.0.0/8 to any in via ex0 00303 0 0 deny log logamount 1000 ip from 127.0.0.0/8 to any in via ex0 00304 0 0 deny log logamount 1000 ip from 0.0.0.0/8 to any in via ex0 00305 0 0 deny log logamount 1000 ip from 169.254.0.0/16 to any in via ex0 00306 0 0 deny log logamount 1000 ip from 192.0.2.0/24 to any in via ex0 00307 0 0 deny log logamount 1000 ip from 204.152.64.0/23 to any in via ex0 00308 0 0 deny log logamount 1000 ip from 224.0.0.0/3 to any in via ex0 00310 0 0 deny log logamount 1000 tcp from any to any dst-port 113 in via ex0 00311 0 0 deny log logamount 1000 icmp from any to any in via ex0 icmptypes 8 00315 0 0 deny log logamount 1000 ip from any to any in frag 00320 0 0 deny log logamount 1000 tcp from any to any dst-port 137,138,139,81 in via ex0 00330 0 0 deny log logamount 1000 ip from any to any frag in via ex0 00340 0 0 deny log logamount 1000 tcp from any to any established in via ex0 00420 0 0 allow log logamount 1000 tcp from any to me dst-port 80 in via ex0 setup limit src-addr 2 00421 0 0 allow log logamount 1000 tcp from any to me dst-port 22 in via ex0 setup limit src-addr 2 00450 0 0 deny log logamount 10000 ip from any to any 00500 0 0 divert 8668 ip from any to any out via ex0 00510 0 0 allow ip from any to any 00999 0 0 deny log logamount 1000 ip from any to any 65535 112 9464 allow ip from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000001c50425$fbdccda0$4402000a>