IPFW kernel: ipfw: add_dyn_rule: Cannot allocate rule

I am using FreeBSD 10.3, and install BIND DNS. OS and BIND information as follow:
OS: 10.3-RELEASE-p5
BIND: bind910-9.10.3P4
when maintenance server, I found /var/log/messages have a lot of messages as:
Code:
kernel: ipfw: add_dyn_rule: Cannot allocate rule
and I issue command:top、htop、cat、vim and so on.ssh terminals hang, and then connect abort.
My Server ipfw rules as follow:
Code:
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="bge0" # interface name of NIC attached to Internet
sshaccessip="192.168.1.21"

# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0


$cmd 00101 check-state

$cmd 00111 allow tcp from any to 202.96.209.5 53 out via $pif setup keep-state
$cmd 00112 allow udp from any to 202.96.209.5 53 out via $pif keep-state
$cmd 00121 allow tcp from any to 8.8.8.8 53 out via $pif setup keep-state
$cmd 00122 allow udp from any to 8.8.8.8 53 out via $pif keep-state

# Allow outbound HTTP and HTTPS connections
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow outbound ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# deny and log all other outbound connections
$cmd 00299 deny log all from any to any out via $pif


# Deny all inbound traffic from non-routable reserved address spaces
#$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
#$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
#$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
#$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
#$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
#$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
#$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
#$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
#$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast

# Allow inbound SSH connections
$cmd 00410 allow tcp from $sshaccessip to me 22 in via $pif setup keep-state
# Allow DNS connections to Public DNS server
$cmd 00400 allow tcp from any to me 53 in via $pif keep-state
$cmd 00401 allow udp from any to me 53 in via $pif keep-state
I have setup kernel parameter
Code:
net.inet.ip.fw.dyn_max = 8192
Please help me solve this is a problem!thanks very much
 

Attachments

  • highcpu.png
    highcpu.png
    56.9 KB · Views: 405
  • ipfw.png
    ipfw.png
    9.9 KB · Views: 611
  • ipfwrules.png
    ipfwrules.png
    73.3 KB · Views: 645
  • htop not response.jpg
    htop not response.jpg
    15.4 KB · Views: 413
Thanks your reply,I have changed net.inet.ip.fw.dyn_max to 65535, Now "
Code:
kernel: ipfw: add_dyn_rule: Cannot allocate rule
messages have without. But I issues some commands as: top, vim, terminals is hang and type Ctrl+c and any keys without any response, after a few minutes ssh terminal crash and connects abort. Now this is problem very urgency that will lead to not can be execute normal maintenance. Thanks again everyone.
 
After long-term exploration and unremitting efforts,I have found the root cause of the problem,IPFW firewall lead to everything. when I disabled IPFW, some commands as vim、top、htop and so on that all running normal.I now think may be IPFW rules set being mistake? but I have two Freebsd server, one of them is Master BIND,other one is Slave BIND,them have same IPFW rules,on the Slave BIND server all was normal. I suspect whether Master BIND server have high Load lead to some commands excute abnormal. Although I found the root cause of problem,but I don't know why.I use PF instead IPFW, Using PF All was normal.I very curious about IPFW cause like this problem or I how to configuration IPFW make it in high load condition normal work! Thanks everyone
 
Back
Top