From owner-freebsd-questions@FreeBSD.ORG Thu Mar 3 18:37:56 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7825216A4CE for ; Thu, 3 Mar 2005 18:37:56 +0000 (GMT) Received: from smtp1.utdallas.edu (smtp1.utdallas.edu [129.110.10.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DC9243D48 for ; Thu, 3 Mar 2005 18:37:56 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from utd49554 (utd49554.utdallas.edu [129.110.3.85]) by smtp1.utdallas.edu (Postfix) with ESMTP id 6D3C7388EAC for ; Thu, 3 Mar 2005 12:37:55 -0600 (CST) Date: Thu, 03 Mar 2005 12:37:55 -0600 From: Paul Schmehl To: FreeBSD questions Message-ID: <302EDA302808644CF37C11E5@utd49554.utdallas.edu> X-Mailer: Mulberry/3.1.6 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ipfw lost its mind? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 18:37:56 -0000 I maintain a small hobby website running on FreeBSD 4.9 SECURITY. I'm paranoid about security and religious about updates (kernel and ports). Recently, the server began to exhibit odd behavior that looked for all the world like name resolution issues. I had recently updated bind to 9.0.3_1, so I assumed that was the likely culprit and I began to troubleshoot. Bind was acting flaky, so I deinstalled it and install 8.4 instead. It still complained about the socket file (which is what 9.0.3_1 did) so I decided to dump bind and installed djbdns instead. (Best thing I ever did. Response is much better.) However, the sluggishness problem continued. Last night I drove back over to the server and, after checking some things, I discovered some very strange behavior from ipfw. Even though my script has been working fine for over three years, I found that when I added a rule to allow all (ipfw add 00001 allow ip from any to any) the server immediately began to process traffic normally. Keep in mind, before I made this change, you could still access the website. It was just slower than molasses. Ssh and mail sessions timed out and were unusable. So, I removed rule 00001 and created a new one like this: ipfw add 00050 allow ip from {my workstation at work) to any. I then ssh'd to my workstation and attempted to ssh back to the server. No go. Yet ipfw show shows an increased packet count on the counter for that rule. So, it's seeing the packets, but they're being delayed somehow. Why the allow ip from any to any works, but allow ip from my workstation to any doesn't is a complete mystery to me. To make a long story short, I disabled the firewall and everything is running normally. My question is, has anyone else seen recent strange behavior from ipfw? Or has anyone seen this *kind* of behavior from ipfw and knows what the cause is? Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu