Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 21 Jan 2021 16:29:26 -0800
From:      Michael Sierchio <kudzu@tenebras.com>
To:        Jos Chrispijn <bsduser@cloudzeeland.nl>
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: IPFW | Too many dynamic rules?
Message-ID:  <CAHu1Y73Qcz7G2gX1_2zM0nJp_c5qA604Z=U9xxNZL_g_cJNhxA@mail.gmail.com>
In-Reply-To: <e73687db-0f6e-9d45-c9c9-57bbfd1ae8e9@cloudzeeland.nl>
References:  <e73687db-0f6e-9d45-c9c9-57bbfd1ae8e9@cloudzeeland.nl>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is affected by a number of things.  You ruleset may be faulty, and you
may be instantiating dynamic rules when a matching state exists.  You may
need to separate inbound and outbound traffic in your ruleset.  Do you have
a check-state rule early in the ruleset?

The lifetime of dynamic rules is, by default, way too long.  See my values
below.  In my world, udp is primarily used for DNS queries.  3 seconds is a
very long time. A short dyn_ack_lifetime relies on keepalives (in SSH, for
example).

net.inet.ip.fw.dyn_short_lifetime: 3

net.inet.ip.fw.dyn_udp_lifetime: 3

net.inet.ip.fw.dyn_rst_lifetime: 2

net.inet.ip.fw.dyn_fin_lifetime: 1

net.inet.ip.fw.dyn_syn_lifetime: 9

net.inet.ip.fw.dyn_ack_lifetime: 300

net.inet.ip.fw.dyn_parent_max: 4096

net.inet.ip.fw.dyn_max: 4096

net.inet.ip.fw.dyn_buckets: 2048



On Thu, Jan 21, 2021 at 3:15 PM Jos Chrispijn <bsduser@cloudzeeland.nl>
wrote:

> Just ran into this matter (never experienced it until now):
>
> "Cannot allocate dynamic state, consider increasing net.inet.ip.fw.dyn_ma=
x"
>
> - What can be the cause of this sudden incident?
> - Look like ipfw is suddenly processing too many rules?
>
> Do I have to increase that in /etc/sysctl.conf and with what numbers can
> I do that best (depending on my BSD configuration or what is the usual
> formule on this)?
>
> Thanks, Jos
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>


--=20

"Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is =
no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mah=C4=81bh=C4=81rata

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y73Qcz7G2gX1_2zM0nJp_c5qA604Z=U9xxNZL_g_cJNhxA>