[ipfw] Dynamic rules grow indefinitely..

It is a web server with ~130req/s, problems seem to start after
upgrading to a new hardware.
FreeBSD 6.1-RELEASE-p10

Right now:

ipfw -d list | wc -l
4338

After a hour it will grow more and more.. The day before yesterday I
got 20 000 dynamic rules ;o) (I was forced to increase
net.inet.ip.fw.dyn_max because I start to got errors in syslogs).

To reset them I was forced to flush and reload all rules..

Also in some strange way, random ips get banned ;] I suspect this is
because of that bug in dynamic list because after flush, with the same
rules all works right.

Here is my firewall rules: http://pastebin.ca/273074
Kernel config: http://pastebin.ca/273077
In kernell Enabled: ULE scheduler(I read somewhere what mysql works
better with it)), option IPFIREWALL
Disabed: INET6, NFS*, COMPAT_FREEBSD4, COMPAT_FREEBSD5,
AHC_REG_PRETTY_PRINT, AHD_REG_PRETTY_PRINT

Also I get lots of 0s in ipfw -d list
00160 0 0 (0s) PARENT 5 tcp 86.106.209.238 0 <-> 0.0.0.0 0
00160 0 0 (0s) PARENT 1 tcp 212.0.211.241 0 <-> 0.0.0.0 0
00160 0 0 (0s) PARENT 3 tcp 86.106.210.242 0 <-> 0.0.0.0 0
..

Currently from 4363, 646 is with (0s).. Is that normal ? (I have very
small experience and don't have acces to another server to see if it's
normal or not..)

By the way, what mean "3" from "PARENT 3" ?

Here is a dump of ipfw -d list with 6410 dynamics, got yesterday
before a ipfw flush http://pastebin.ca/273087

--
Best regards,
Nicolae Namolovan.
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: What is ipfw telling me ?
    ... > the ipfw is on 10.0.0.2 and does not have a web server. ... and destination addresses of a TCP or UDP packet as saddr:sport daddr:dport. ... is trying to reach port 80 on 10.0.0.1. ...
    (FreeBSD-Security)
  • Nat problem, nat and proxy_address at the same time.
    ... client 192.168.1.9 sees instead of remote web ... server 96.98 a remote web server 240.17 ... ipfw add 126 divert 8675 ip from 212.27.240.17 to any ...
    (freebsd-net)
  • Re: Sockets stuck in FIN_WAIT_1
    ... packet to clear the connections. ... are you running ipfw ON the web server box? ...
    (freebsd-stable)
  • ipfw and temporary port access
    ... I am trying to figure out how to open a port temporarily for a specific IP who is able to provide a proper username and password on a webform delivered by my web server. ... These temporary firewall changes are to be handled by ipfw. ... Any clues if a system like this is a already coded and out there somewhere? ...
    (Fedora)
  • Re: Problem with "ipfw flush"
    ... kldload ipfw && ipfw add 65000 allow ip from any to any ... I have tables and pipes in play, and I believe a regular ipfw flush doesn't clear them. ... Is there a universal "reset EVERYTHING" command? ... > isn't working via ssh. ...
    (freebsd-questions)