Date: Fri, 22 Jan 2021 01:45:42 +0100 From: Jos Chrispijn <bsduser@cloudzeeland.nl> To: Michael Sierchio <kudzu@tenebras.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: IPFW | Too many dynamic rules? Message-ID: <b567dd97-4e1a-7870-d0f5-c477fc488403@cloudzeeland.nl> In-Reply-To: <CAHu1Y73Qcz7G2gX1_2zM0nJp_c5qA604Z=U9xxNZL_g_cJNhxA@mail.gmail.com> References: <e73687db-0f6e-9d45-c9c9-57bbfd1ae8e9@cloudzeeland.nl> <CAHu1Y73Qcz7G2gX1_2zM0nJp_c5qA604Z=U9xxNZL_g_cJNhxA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Op 22-1-21 om 1:29 schreef Michael Sierchio: > This is affected by a number of things. You ruleset may be faulty, and you > may be instantiating dynamic rules when a matching state exists. You may > need to separate inbound and outbound traffic in your ruleset. Do you have > a check-state rule early in the ruleset? Yes, I do (half way my ruleset. Should I move that line to the top you mean? > The lifetime of dynamic rules is, by default, way too long. See my values > below. In my world, udp is primarily used for DNS queries. 3 seconds is a > very long time. A short dyn_ack_lifetime relies on keepalives (in SSH, for > example). So I should decrease my numbers, following your's and the issue will be solved? Are these also in your /etc/sysctl.conf? > net.inet.ip.fw.dyn_short_lifetime: 3 > net.inet.ip.fw.dyn_udp_lifetime: 3 > net.inet.ip.fw.dyn_rst_lifetime: 2 > net.inet.ip.fw.dyn_fin_lifetime: 1 > net.inet.ip.fw.dyn_syn_lifetime: 9 > net.inet.ip.fw.dyn_ack_lifetime: 300 > net.inet.ip.fw.dyn_parent_max: 4096 > net.inet.ip.fw.dyn_max: 4096 > net.inet.ip.fw.dyn_buckets: 2048 Nub online, sorry. Best, Jos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b567dd97-4e1a-7870-d0f5-c477fc488403>