Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 10 Sep 2010 14:08:06 +0200
From:      Ivan Voras <ivoras@freebsd.org>
To:        freebsd-stable@freebsd.org
Subject:   Re: ipfw: Too many dynamic rules
Message-ID:  <i6d736$h9r$1@dough.gmane.org>
In-Reply-To: <20100909153902.GA28341@lordcow.org>
References:  <20100909153902.GA28341@lordcow.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 09/09/10 17:39, Gareth de Vaux wrote:
> Hi again, I use some keep-state rules in ipfw, but get the following
> kernel message:
>
> kernel: ipfw: install_state: Too many dynamic rules
>
> when presumably my state table reaches its limit (and I effectively
> get DoS'd).
>
> netstat shows tons of connections in FIN_WAIT_2 state, mostly to
> my webserver. Consequently net.inet.ip.fw.dyn_count is large too.
>
> I can increase my net.inet.ip.fw.dyn_max but the new limit will
> simply be reached later on.

For what it's worth, here's what I've been running:

net.inet.ip.fw.dyn_buckets=1024
net.inet.ip.fw.dyn_max=8192
net.inet.ip.fw.dyn_ack_lifetime=60

If in a tight spot, I might reduce dyn_ack_lifetime to 10.

There is no way this machine would service 8192 legitimate simultaneous 
connections so this works for me. If you have the memory I think you can 
increase dyn_max practically arbitrarily. If under a DDoS attack, you 
might run out of some other resource, like ephemeral TCP ports for the 
server side of connections, before running out of ipfw entries.






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?i6d736$h9r$1>