Date: Thu, 21 Feb 2002 17:24:11 -0500 (EST) From: "C J Michaels" <cjm2@earthling.net> To: <freedom@72oot.net> Cc: <freebsd-questions@freebsd.org> Subject: Re: ipfw: Too many dynamic rules, sorry Message-ID: <3598.216.153.201.211.1014330251.squirrel@www1.27in.tv> In-Reply-To: <02022113333200.74706@c1529030-a.attbi.com> References: <02022113333200.74706@c1529030-a.attbi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Some time in the recent past 72yan M scribbled:
>
<<<...snip...>>>
>> My questions are:
>> 1. What's a good number for "net.inet.ip.fw.dyn_buckets"? I could
>> just keep tweaking it up until I stop getting the error, but I'm
>> curious what the pro/cons are of setting this number too high, and
>> what too high would be. Does anyone have any experience with this?
>
> Dos attack of your running services/ dynamic rules.
>
Wouldn't that require the DoS to be coming from inside my box, as outgoing
packets are the ones that generate the dynamic rules, not incoming?
> I use 256 dyn_buckets, but I also cut dyn_ack_lifetime to 60 from 300.
(I'm sure this doesn't help but) I bumped mine up to 600 'cause my ssh
sessions kept terminating abruptly if I didn't pay attn to them for 5
minutes. Despite this, there must have been some usage spike over the
course of those 10 minutes to generate the error.
>
>>
>> 2. Any suggestions on how I can track down what may be generating so
>> many dynamic rules? To give you a contrast now, ipfw lists _no_
>> dynamic rules.
>
> You could add a cron job to print '#ipfw show' to a text file every so
> often and then review the output file.
Did you mean "ipfw show" or "ipfw -d list"? Either way, a periodic cron
job is a good idea, I hadn't even thought of that. Thanks.
Appreciate the help.
--
Chris
"I'll defend to the death your right to say that, but I never said I'd
listen to it!"
-- Tom Galloway with apologies to Voltaire
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3598.216.153.201.211.1014330251.squirrel>