Date: Fri, 25 Aug 2000 20:28:37 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: tucka <tucka@fatbastard.zialink.com> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: ipnat fails under load Message-ID: <200008260329.e7Q3TPq87381@cwsys.cwsent.com> In-Reply-To: Your message of "Fri, 25 Aug 2000 20:55:40 MDT." <Pine.BSF.4.21.0008252052260.3518-100000@fatbastard.zialink.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.4.21.0008252052260.3518-100000@fatbastard.zialink.c om>, tu cka writes: > You can add me to the list of people who have problems with ipfilter > under load. 3 boxes, 2 with 4.1-S ipf 3.4.8 and 1 with 4.0-S ipf 3.3.8. > It doesn't seem to be so much a problem with how many clients are > accessing the server, but rather just a matter of time. All 3 boxes > consistently fail after 2 to 4 hours of use. Some can be "saved" via > an ipf -Fa and reloading, but usually they need to be restarted. I've > had to go back to SUSE *blech* on one box because it was just unusable. > If there is any other info I can provide to help resolve this issue please > don't hesitate to ask. What's your configuration? Could you list your IPF and NAT rules? Next time you have a "freeze", issue ipfstat -s and ipfstat -sl. If you're using statefull filtering, could it be that your state table has filled. What type of traffic do you generally have going through your firewalls? If you use a lot of FTP and use the FTP proxy, 3.4.8 is broken for some FTP clients -- upgrade to 3.4.9. If you use RCMD proxy with rcp or krcp, your state and NAT tables will fill up very quickly, eventually hanging the box. I have IPF running on my gateway at home (4.1R), 4 FreeBSD 4.1-R systems at work (+ 12 Solaris systems), and on two systems at a friend's ISP (one running 3.4S and the other running 4.0R). The versions of IPF range from 3.3.7 - 3.4.9. All without problem. One thing to note is that I've disabled IPv6 in all of my kernels (primarily because I cannot get KRB5 to work through NAT with IPv6 enabled). This is just a hunch but if you do have IPv6 enabled try disabling it. You may want to send a question to the IP Filter mailing list (ipfilter@coombs.anu.edu.au) or visit the IP Filter Web site at http://coombs.anu.edu.au/~avalon/ip-filter.html which describes how to subscribe to the IP Filter mailing list. The short of it is that you need to do more homework before posting questions. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008260329.e7Q3TPq87381>