From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 16 09:31:00 2009 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EDCD31065678 for ; Mon, 16 Feb 2009 09:31:00 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.153]) by mx1.freebsd.org (Postfix) with ESMTP id 716A08FC1B for ; Mon, 16 Feb 2009 09:30:59 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so255034fgb.35 for ; Mon, 16 Feb 2009 01:30:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=cJDbudN+EGmL+HvXfHQ3DBC0ihX3aUZWh9GcQycgq7Y=; b=czUm3LGo2hMfQrVdMJZSWwKGcFqyh0Mcuz9GRir4Cta/2VkK5VGpjKOdclS7/Zs249 4dPnNmzIxtVKL3YC80JYm3wk44ZHHTlV56ib6ZfhrJBu+YIwqZiTvUGrsxdZ2N8fdirc ngUcHg0HRLtFPRgsRys4Vn3Hk0Q+P2c1bMoJI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=GEytHb4MCl9axLaCzh0+rEznlHEsPhZkG3gPOC9OzpIa+awzALMQxUZYa5ykZugLr/ ysg9eGNx2vQ8WowtyoPrFpMs47Axs2H0KmtY7zsf1ePjYEAE3X0RBxjNHOyhgU1t8ro0 B/Hmw9bjfTezW/VRJiJdO6sKWAf3KNb9WwW08= MIME-Version: 1.0 Sender: ozkan.kirik@gmail.com Received: by 10.86.70.3 with SMTP id s3mr1276174fga.78.1234775307060; Mon, 16 Feb 2009 01:08:27 -0800 (PST) Date: Mon, 16 Feb 2009 11:08:27 +0200 X-Google-Sender-Auth: d8740b80c72237cd Message-ID: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> From: =?ISO-8859-1?Q?=D6zkan_KIRIK?= To: ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: in-kernel nat and stateful inspection hangs system 7.1 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2009 09:31:02 -0000 Hi, i am using FreeBSD 7.1 RELEASE as gateway (about 2000 clients 90vlans via if_vlan) . My Server is HP DL380 G4. I am using the on board gigabit nic as wan interface which uses bge driver. My rule set is below: wan_intf="bge1" ipfw nat 100 config ip X.X.X.1 reset same_ports ipfw nat 101 config ip X.X.X.2 reset same_ports ipfw nat 102 config ip X.X.X.3 reset same_ports ... ... ipfw add 5 allow all from any to any layer2 ipfw add 50 checkstate ... ... Other port forwarding and static nat rules without keep-state ... ipfw add 50000 nat 100 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.1 to any setup keep-state via $wan_intf ipfw add 50000 nat 101 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.2 to any setup keep-state via $wan_intf ipfw add 50000 nat 102 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.3 to any setup keep-state via $wan_intf ... ... ipfw add 51000 nat 100 all from any to X.X.X.1 via $wan_intf ipfw add 51000 nat 101 all from any to X.X.X.2 via $wan_intf ipfw add 51000 nat 102 all from any to X.X.X.3 via $wan_intf ... ... About 2 Minutes later after apply this rule set, system writes that bge1 watchdog timeout --- resetting and then system hangs, keyboard doesnt response. No logs can be observed. When i remove all skipto and checkstate rules, system work properly without problems. I suspect about stateful inpection code. some sysctl variables are below: net.inet.ip.fw.dyn_max=32768 net.inet.ip.fw.dyn_ack_lifetime=100 net.inet.ip.fw.dyn_short_lifetime=10 net.inet.ip.fw.one_pass=0 net.inet.ip.dummynet.hash_size=256 kern.maxfiles=32000 kern.ipc.somaxconn=1024 net.inet.ip.process_options=0 net.inet.ip.fastforwarding=1 net.link.ether.ipfw=1 thanks for your interests