Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 29 Jan 2002 13:58:23 +0200
From:      "Patrick O'Reilly" <patrick@mip.co.za>
To:        "FreeBSD Question List" <freebsd-questions@freebsd.org>
Subject:   ipfw and dymmynet - packets getting into tight loops, or what?
Message-ID:  <NDBBIMKICMDGDMNOOCAIOEMPEBAA.patrick@mip.co.za>
next in thread | raw e-mail | index | archive | help 
Hi all.

I have something which goes against everything I've ever seen ipfw and
dummynet doing before.  If you've seen this before, please help!

Here is part of my firewall ruleset, as shown by 'ipfw show':
----------------------------------
01000    30954    18484949 divert 8660 ip from any to any via xl0
01000   101831    17836728 divert 8661 ip from any to any via xl1
<snip>
10010 50595268 38817317697 pipe 110 tcp from any to x.x.x.10 25 out xmit
xl1
10011  1921940   103490898 pipe 110 tcp from any 25 to x.x.x.10 out xmit
xl1
10012     2723      123257 pipe 111 tcp from x.x.x.10 25 to any in recv
xl1
10013      383      305398 pipe 111 tcp from x.x.x.10 to any 25 in recv
xl1
----------------------------------

The thing I'm worried about is that huge volume through rule 10010.
38Gb accumulated in about 15 minutes!!!  And that's through a pipe that
is set as follows:
----------------------------------
${fwcmd} pipe 110 config bw 16Kbit/s
----------------------------------
The sum total of traffic through ALL other rules during the same period
was only about 65Mb, but it reports 38Gb through that one rule.

To fill in the picture a bit:
* The server is our internet gateway and firewall.
* xl0 is the NIC attached to the exterior router.
* xl1 is the NIC attached to the DMZ, where the mail server resides.
* The Mail Server is Exchange on NT.
* I'm running natd on both interfaces because I have some
"redirect_address" directives which need to work from the outside as
well as from the DMZ.
* The host has a further 4 interfaces (1 NIC and 3 X.21 ports) attaching
to our private networks.  None of these interfaces showed this kind of
behaviour.

It looks like that 38Gb of data appeared out of thin air!

I have changed the rule to a simple "ipfw add 10010 allow tcp ...." and
now it behaves the way I would expect.  But I need to make use of the
DUMMYNET pipe for bandwidth restriction.

Help!   :-/

Regards,
Patrick.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBIMKICMDGDMNOOCAIOEMPEBAA.patrick>