IPFW and Dynamic Rules
Dinesh Nair
dinesh at alphaque.com
Wed Jan 21 12:06:12 PST 2004
On Wed, 21 Jan 2004, Adam Seniuk wrote:
> I keep getting /kernel: Too many dynamic rules, sorry im my log file
> several times and i am not sure whats going on I have read some articles
> but they are all in 2000 and for FreeBSD 4.0.
from the ipfw(4) man page:
net.inet.ip.fw.dyn_max: 8192
Maximum number of dynamic rules. When you hit this limit, no
more dynamic rules can be installed until old ones expire.
seems like you're hitting this limit with too many keep-state rules in
your ipfw ruleset. try trimming them down a little, by adding in specific
reverse packet flow rules.
for eg,
# allow dns queries out to the world
allow udp from me to any 53 keep-state out
could be split to
# allow dns queries out to the world
allow udp from me to any 53 out
# allow incoming dns responses
allow udp from any 53 to me in
Regards, /\_/\ "All dogs go to heaven."
dinesh at alphaque.com (0 0) http://www.alphaque.com/
+==========================----oOO--(_)--OOo----==========================+
| for a in past present future; do |
| for b in clients employers associates relatives neighbours pets; do |
| echo "The opinions here in no way reflect the opinions of my $a $b." |
| done; done |
+=========================================================================+
More information about the freebsd-questions
mailing list