Register for your free account! | Forgot your password?

You last visited: Today at 19:04

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement


Advertise with us!

IPFW Problem??

Discussion on IPFW Problem?? within the Metin2 Private Server forum part of the Metin2 category.

Reply
 
Old   #1
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Jul 2011
Posts: 3
Received Thanks: 0
IPFW Problem??

im gget syn attak and use ipfw on freebsd 9.1 64 bit

ı have a problem :
ipfw install_state too many dynamic rules

my ipfw.conf

Code:
IPF="ipfw -q add"
ipfw -q -f flush

################################################# 
# Giris İzini 127.0.0.1 
################################################# 
$IPF 10 allow all from any to any via lo0 
$IPF 11 deny all from any to 127.0.0.0/8 
$IPF 12 deny all from 127.0.0.0/8 to any 
$IPF 13 deny tcp from any to any frag 

################################################# 
# Şartlar Kodlama 
################################################# 
$IPF 14 check-state 
$IPF 15 allow tcp from any to any established 
$IPF 16 allow all from any to any out keep-state 
$IPF 17 allow icmp from any to any 

################################################# 
# Çıkış İzini   Alan Portlar  
################################################# 
$IPF 18 allow tcp from any to any 22 setup keep-state
$IPF 19 allow tcp from any to any 13000 setup keep-state
$IPF 20 allow tcp from any to any 13001 setup keep-state
$IPF 21 allow tcp from any to any 16000 setup keep-state
$IPF 22 allow tcp from any to any 18000 setup keep-state
$IPF 23 allow tcp from any to any 21000 setup keep-state
$IPF 24 allow tcp from any to any 3306 setup keep-state
$IPF 25 allow tcp from any to any 11005 setup keep-state
$IPF 26 allow udp from any to any 22 keep-state
$IPF 27 allow udp from any to any 13000 keep-state
$IPF 28 allow udp from any to any 13001 keep-state
$IPF 29 allow udp from any to any 16000 keep-state
$IPF 30 allow udp from any to any 18000 keep-state
$IPF 31 allow udp from any to any 21000 keep-state
$IPF 32 allow udp from any to any 3306 keep-state
$IPF 33 allow udp from any to any 11005 keep-state
####################################################
#Saldırı Paket Veri Kısıtlama
####################################################
ipfw add 409 allow tcp from any to me 22 in via em0 setup limit src-addr 20
ipfw add 410 allow tcp from any to me 13000 in via em0 setup limit src-addr 10
ipfw add 411 allow tcp from any to me 13001 in via em0 setup limit src-addr 10
ipfw add 412 allow tcp from any to me 16000 in via em0 setup limit src-addr 10
ipfw add 413 allow tcp from any to me 21000 in via em0 setup limit src-addr 10
ipfw add 414 allow tcp from any to me 18000 in via em0 setup limit src-addr 10
ipfw add 415 allow tcp from any to me 11005 in via em0 setup limit src-addr 5
ipfw add 416 allow tcp from any to me 3306 in via em0 setup limit src-addr 10
ipfw add 419 allow udp from any to me 22 in via em0 setup limit src-addr 80
ipfw add 420 allow udp from any to me 13000 in via em0 setup limit src-addr 80
ipfw add 421 allow udp from any to me 13001 in via em0 setup limit src-addr 80
ipfw add 422 allow udp from any to me 16000 in via em0 setup limit src-addr 80
ipfw add 423 allow udp from any to me 21000 in via em0 setup limit src-addr 80
ipfw add 424 allow udp from any to me 18000 in via em0 setup limit src-addr 80
ipfw add 425 allow udp from any to me 11005 in via em0 setup limit src-addr 50
ipfw add 426 allow udp from any to me 3306 in via em0 setup limit src-addr 50
$IPF 34 allow all from mywebserverip to me
$IPF 36 allow all from myip to any 14000
$IPF 37 allow all from myip to any 14000
$IPF 38 deny all from any to me 14000
$IPF 39 allow all from myip to any 17000
$IPF 40 allow all from myip to any 17000
$IPF 41 deny all from any to me 17000
$IPF 42 allow all from myip to any 20000
$IPF 43 allow all from myip to any 20000
$IPF 44 deny all from any to me 20000
$IPF 45 allow all from myip to any 22000
$IPF 46 allow all from myip to any 22000
$IPF 47 deny all from any to me 22000
$IPF 48 allow all from myip to any 12000
$IPF 49 allow all from myip to any 12000
$IPF 50 deny all from any to me 12000
$IPF 51 allow all from myip to any 14001
$IPF 52 allow all from myip to any 14001
$IPF 53 deny all from any to me 14001
$IPF deny log all from any to any

my sysctl.conf :
net.inet.ip.fw.dyn_max=65536
net.inet.ip.fw.dyn_buckets=1024
net.inet.ip.fw.dyn_ack_lifetime=60
darkman2000 is offline  
Old 02/06/2013, 13:44   #2
 
Mashkin's Avatar
 
elite*gold: 44
The Black Market: 10/0/0
Join Date: May 2010
Posts: 2,053
Received Thanks: 1,747
You should implode all your rules into fewer ones, just as a tip.

Example:
Code:
ipfw add 410 allow tcp from any to me 13000 in via em0 setup limit src-addr 10
ipfw add 411 allow tcp from any to me 13001 in via em0 setup limit src-addr 10
ipfw add 412 allow tcp from any to me 16000 in via em0 setup limit src-addr 10
ipfw add 413 allow tcp from any to me 21000 in via em0 setup limit src-addr 10
ipfw add 414 allow tcp from any to me 18000 in via em0 setup limit src-addr 10

to

ipfw add 410 allow tcp from any to me 13000, 13001, 16000, 21000, 18000 in via em0 setup limit src-addr 10
Next thing: As far as I know, the setup keyword doesn't work with UDP, because UDP has no setup process (handshake) like TCP has.

For your SYN-issue, you should rather try SYN cookies. They have been invented for exactly the purpose of blocking SYN floods and should work better than a firewall.

gives information about SYN cookies.
A simple sysctl enables them: "net.inet.tcp.syncookies=1".

As for your state overflow, there probably more than 65536 sessions created by SYN packets. SYN packets are pretty small and can stack up easily.
You could decrease the IPFW dynamic rule lifetime, but that could affect your services by kicking out valid users who are idle or have a lag.
Mashkin is offline  
Old 02/06/2013, 14:20   #3
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Jul 2011
Posts: 3
Received Thanks: 0
Quote:
Originally Posted by Mashkin View Post
You should implode all your rules into fewer ones, just as a tip.

Example:
Code:
ipfw add 410 allow tcp from any to me 13000 in via em0 setup limit src-addr 10
ipfw add 411 allow tcp from any to me 13001 in via em0 setup limit src-addr 10
ipfw add 412 allow tcp from any to me 16000 in via em0 setup limit src-addr 10
ipfw add 413 allow tcp from any to me 21000 in via em0 setup limit src-addr 10
ipfw add 414 allow tcp from any to me 18000 in via em0 setup limit src-addr 10

to

ipfw add 410 allow tcp from any to me 13000, 13001, 16000, 21000, 18000 in via em0 setup limit src-addr 10
Next thing: As far as I know, the setup keyword doesn't work with UDP, because UDP has no setup process (handshake) like TCP has.

For your SYN-issue, you should rather try SYN cookies. They have been invented for exactly the purpose of blocking SYN floods and should work better than a firewall.

gives information about SYN cookies.
A simple sysctl enables them: "net.inet.tcp.syncookies=1".

As for your state overflow, there probably more than 65536 sessions created by SYN packets. SYN packets are pretty small and can stack up easily.
You could decrease the IPFW dynamic rule lifetime, but that could affect your services by kicking out valid users who are idle or have a lag.
ı use this thinks ı dont error 5 minutes but after get error

my problem is not fixed help me
darkman2000 is offline  
Reply

« Metin2 Pserver Client say flood protection ? | Yashiro3 Files? »

Similar Threads Similar Threads
IPFW Problem
07/05/2012 - Metin2 Private Server - 0 Replies
Ich kann mich nicht mehr mit WinSCP verbinden. Ich habe diese Tutorial gemacht. http://www.elitepvpers.com/forum/metin2-pserver-g uides-strategies/584341-how-install-pifw-firewall- freebsd-roots.html Hier sind meine Firewallregel-Datei: ipfw -g -f flush IPF="ipfw -g add"
[Problem]Mit IPFW eine IP bannen
06/04/2012 - Metin2 Private Server - 0 Replies
Hallo, ich bin heute auf das gestossen: http://www.elitepvpers.com/forum/metin2-pserver-gu ides-strategies/1082561-howto-ip-ban.html#post9729 801. (.Infinity's Methode) Habe alles gemacht wie er's beschrieben hat, doch wenn ich jetzt versuche eine IP zu bannen sieht es so aus: http://i.epvpimg.com/1q60b.png
IPFW Help!
05/16/2012 - Metin2 Private Server - 1 Replies
Hallo Liebe Com, ich habe letztens eine ipwf versucht zu installieren, allerdings kam ich dann selber nicht mehr auf ftp drauf.... Ich habe wahrscheinlich was falsches eingetragen. Könnte mir da jemand helfen? Brauche unbedingt eine ipfw. Mfg Sinepi
/etc/rc.d/ipfw: WARNING: Unable to load kernel module ipfw
03/27/2011 - Metin2 Private Server - 1 Replies
i write in putty "/etc/rc.d/ipfw start" but i have an error "/etc/rc.d/ipfw: WARNING: Unable to load kernel module ipfw" how can i fixx ?
IPFW problem
12/01/2010 - Metin2 Private Server - 0 Replies
wenn ich portsnap fetch extract in VPC eingebe kommt: Looking up portsnap.FreeBSD.org mirrors... none found Fetching snapshot tag from portsnap.FreeBSD.org... failed. No mirrors remaining, giving up. woran könnte es liegen das er das nicht findet



All times are GMT +1. The time now is 19:05.

elitepvpers - play less, get more - Top

Powered by vBulletin®
Copyright ©2000 - 2026, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2026 elitepvpers All Rights Reserved.