"Grant Peel" <[EMAIL PROTECTED]> writes: > I was wondering what the concensus is on using dynamic rules in IPFW. Every > once in a while, I suppose there is a DoS attaclk that causes me to see > hundreds of: > > +ipfw: install_state: Too many dynamic rules > > in my security log. > > I am sure i read somewhere that many people are skipping the dynamic rules > and just relying on the line by line rules. > > You thoughts please.
You shouldn't allow people outside the network to invoke a dynamic rule; that's a limited resource that they can overwhelm, as you see. Usual practice is to set up state only on already-confirmed connections; in my case, that means only outbound packets that didn't match any previous state. > Any while your up, does anyone really know what this means? > > ipfw: pullup failed > > I dont see that often maybe 1 or 2 times a month. A "pullup" is just advancing deeper into the packet. If it failed, that probably means the packet was too short. Truncated packets can happen for a number of benign reasons, but if they happen frequently they're probably a sign of a problem in your network equipment. By "frequently" I mean several orders of magnitude more than you're seeing them. Don't worry about it. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
