Date: Thu, 21 Feb 2002 17:24:11 -0500 (EST) From: "C J Michaels" <cjm2@earthling.net> To: <freedom@72oot.net> Cc: <freebsd-questions@freebsd.org> Subject: Re: ipfw: Too many dynamic rules, sorry Message-ID: <3598.216.153.201.211.1014330251.squirrel@www1.27in.tv> In-Reply-To: <02022113333200.74706@c1529030-a.attbi.com> References: <02022113333200.74706@c1529030-a.attbi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Some time in the recent past 72yan M scribbled: > <<<...snip...>>> >> My questions are: >> 1. What's a good number for "net.inet.ip.fw.dyn_buckets"? I could >> just keep tweaking it up until I stop getting the error, but I'm >> curious what the pro/cons are of setting this number too high, and >> what too high would be. Does anyone have any experience with this? > > Dos attack of your running services/ dynamic rules. > Wouldn't that require the DoS to be coming from inside my box, as outgoing packets are the ones that generate the dynamic rules, not incoming? > I use 256 dyn_buckets, but I also cut dyn_ack_lifetime to 60 from 300. (I'm sure this doesn't help but) I bumped mine up to 600 'cause my ssh sessions kept terminating abruptly if I didn't pay attn to them for 5 minutes. Despite this, there must have been some usage spike over the course of those 10 minutes to generate the error. > >> >> 2. Any suggestions on how I can track down what may be generating so >> many dynamic rules? To give you a contrast now, ipfw lists _no_ >> dynamic rules. > > You could add a cron job to print '#ipfw show' to a text file every so > often and then review the output file. Did you mean "ipfw show" or "ipfw -d list"? Either way, a periodic cron job is a good idea, I hadn't even thought of that. Thanks. Appreciate the help. -- Chris "I'll defend to the death your right to say that, but I never said I'd listen to it!" -- Tom Galloway with apologies to Voltaire To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3598.216.153.201.211.1014330251.squirrel>