Date: Thu, 9 Sep 2010 09:20:09 -0700 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: Gareth de Vaux <bsd@lordcow.org> Cc: stable@freebsd.org Subject: Re: ipfw: Too many dynamic rules Message-ID: <20100909162009.GA80375@icarus.home.lan> In-Reply-To: <20100909153902.GA28341@lordcow.org> References: <20100909153902.GA28341@lordcow.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 09, 2010 at 05:39:02PM +0200, Gareth de Vaux wrote: > Hi again, I use some keep-state rules in ipfw, but get the following > kernel message: > > kernel: ipfw: install_state: Too many dynamic rules > > when presumably my state table reaches its limit (and I effectively > get DoS'd). > > netstat shows tons of connections in FIN_WAIT_2 state, mostly to > my webserver. Consequently net.inet.ip.fw.dyn_count is large too. > > I can increase my net.inet.ip.fw.dyn_max but the new limit will > simply be reached later on. > > I currently get around this with a cronjob that sets > net.inet.ip.fw.dyn_keepalive to 0 for just less than 5 minutes > every night. If I leave it at 0 for longer or indefinitely then > idle ssh sessions and the like are dropped. This works fine for > me but it looks like there's some bug with net.inet.ip.fw.dyn_keepalive=1? > Or with Apache? > > I'm using 8.1-STABLE, GENERIC kernel. Experienced the same behaviour > on 8.0-RELEASE, but not on 6.1-RELEASE where I had a similar setup. I > have a KeepAliveTimeout of 4 in Apache (2.2.16). Firstly, I'm not familiar with dynamic firewall rules in ipfw. I tend to use pf these days, with ALTQ for rate-limiting. pf offers a lot of improvements over ipfw. Secondly, I'm fairly certain HTTP KeepAlive (re: KeepAliveTimeout) are unrelated to TCP keepalives[1]. I mention this because you're focusing on netstat, which will give you indication of TCP session state, not HTTP protocol statefulness. Thirdly, if you feel FIN_WAIT2 is the cause of your problem, then you should consider adjusting the following sysctl: net.inet.tcp.finwait2_timeout Try something like 15000 (15 seconds) instead of the default (60000). Finally, why are you using dynamic firewall rules at all? For what purpose do you need these that, say, pf and its state tracking would not suffice? [1]: http://en.wikipedia.org/wiki/Keepalive -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100909162009.GA80375>