I am using FreeBSD 10.3, and install BIND DNS. OS and BIND information as follow:
OS: 10.3-RELEASE-p5
BIND: bind910-9.10.3P4
when maintenance server, I found /var/log/messages have a lot of messages as:
and I issue command:top、htop、cat、vim and so on.ssh terminals hang, and then connect abort.
My Server ipfw rules as follow:
I have setup kernel parameter
Please help me solve this is a problem!thanks very much
OS: 10.3-RELEASE-p5
BIND: bind910-9.10.3P4
when maintenance server, I found /var/log/messages have a lot of messages as:
Code:
kernel: ipfw: add_dyn_rule: Cannot allocate rule
My Server ipfw rules as follow:
Code:
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="bge0" # interface name of NIC attached to Internet
sshaccessip="192.168.1.21"
# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0
$cmd 00101 check-state
$cmd 00111 allow tcp from any to 202.96.209.5 53 out via $pif setup keep-state
$cmd 00112 allow udp from any to 202.96.209.5 53 out via $pif keep-state
$cmd 00121 allow tcp from any to 8.8.8.8 53 out via $pif setup keep-state
$cmd 00122 allow udp from any to 8.8.8.8 53 out via $pif keep-state
# Allow outbound HTTP and HTTPS connections
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state
# Allow outbound ping
$cmd 00250 allow icmp from any to any out via $pif keep-state
# deny and log all other outbound connections
$cmd 00299 deny log all from any to any out via $pif
# Deny all inbound traffic from non-routable reserved address spaces
#$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
#$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
#$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
#$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
#$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
#$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
#$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
#$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
#$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Allow inbound SSH connections
$cmd 00410 allow tcp from $sshaccessip to me 22 in via $pif setup keep-state
# Allow DNS connections to Public DNS server
$cmd 00400 allow tcp from any to me 53 in via $pif keep-state
$cmd 00401 allow udp from any to me 53 in via $pif keep-state
Code:
net.inet.ip.fw.dyn_max = 8192