Date: Wed, 25 Aug 2004 16:27:36 +0400 From: Dmitry Zadvornykh <foot@binbank.ru> To: freebsd-questions@freebsd.org Subject: Trouble with ipfw :( help! Message-ID: <1994096311.20040825162736@binbank.ru>
next in thread | raw e-mail | index | archive | help
Sorry for my lame question!
I have configured ipfw on my mail server... But i have trouble with
understanding what is work wrong... Why FreeBSD stop all traffic?
ok? let's go!
#uname -a
FreeBSD ns2.jamaika.ru 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #2: Mon Jul 26 17:23:28 MSD 2004 root@ns2.jamaika.ru:/usr/src/sys/i386/compile/NS2 i386
(ex0 - unplugged from network)
#ifconfig ex1
ex1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet xxx.xxx.xx.xxx netmask 0xffffff00 broadcast
xxx.xxx.xx.xxx
inet6 fe80::2aa:ff:fe5d:fd06%ex1 prefixlen 64 scopeid 0x2
ether 00:aa:00:5d:fd:06
media: Ethernet 10baseT/UTP
status: active
#ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 allow icmp from any to any
00500 allow tcp from any to any established
00600 allow ip from any to any frag
00700 allow ip from me to any setup
00800 allow tcp from any to me dst-port 25,110,995,143,993 setup
00900 allow tcp from any to me dst-port 500,600 setup
01000 allow tcp from any to me dst-port 22,32222 setup
01100 allow udp from me to any dst-port 53 keep-state
09999 allow log ip from any to any
65500 deny log ip from any to any
65535 deny ip from any to any
(look at 9999 - it's temporary line, just for test)
1st: all work perfect!
/var/log/security:
Aug 25 14:42:26 ns2 kernel: ipfw: 9999 Accept MAC in via ex1
Aug 25 14:42:54 ns2 last message repeated 16 times
Aug 25 14:44:54 ns2 last message repeated 70 times
Aug 25 14:54:55 ns2 last message repeated 351 times
Aug 25 15:04:55 ns2 last message repeated 345 times
Aug 25 15:14:55 ns2 last message repeated 351 times
Aug 25 15:21:39 ns2 last message repeated 234 times
2nd: now i delete 9999 rule!! Still working very well!
#ipfw delete 9999
/var/log/security:
Aug 25 15:21:41 ns2 kernel: ipfw: 65500 Deny MAC in via ex1
Aug 25 15:22:13 ns2 last message repeated 18 times
Aug 25 15:24:15 ns2 last message repeated 76 times
Aug 25 15:34:17 ns2 last message repeated 346 times
Aug 25 15:41:25 ns2 last message repeated 253 times
Aug 25 15:41:27 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:27 ns2 kernel: ipfw: 65500 Deny MAC in via ex1
Aug 25 15:41:27 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:28 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:29 ns2 kernel: ipfw: 65500 Deny MAC in via ex1
And NOW all network traffic freezed (no ping, no ssh, nothing)
20 min past from i deny this incoming MAC packet till BSD start to
send MAC packet... and all traffic freezed...
Aug 25 15:41:29 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:30 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:30 ns2 kernel: ipfw: 65500 Deny MAC in via ex1
Aug 25 15:41:31 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:31 ns2 kernel: ipfw: 65500 Deny MAC in via ex1
Aug 25 15:41:32 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:33 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:33 ns2 kernel: ipfw: 65500 Deny MAC in via ex1
tcpdump log:
15:41:23.728169 802.1d config 8000.00:04:dd:05:af:44.8026 root 8000.00:01:96:cb:ae:44 pathcost 8 age 2 max 20 hello 2 fdelay 15
15:41:25.728788 802.1d config 8000.00:04:dd:05:af:44.8026 root 8000.00:01:96:cb:ae:44 pathcost 8 age 2 max 20 hello 2 fdelay 15
15:41:27.730761 802.1d config 8000.00:04:dd:05:af:44.8026 root 8000.00:01:96:cb:ae:44 pathcost 8 age 2 max 20 hello 2 fdelay 15
15:41:29.729825 802.1d config 8000.00:04:dd:05:af:44.8026 root 8000.00:01:96:cb:ae:44 pathcost 8 age 2 max 20 hello 2 fdelay 15
3rd: i put 9999 rule back! and all start work fine...
Aug 25 15:45:39 ns2 kernel: ipfw: 9999 Accept MAC in via ex1
Aug 25 15:46:11 ns2 last message repeated 18 times
what to do?
--
Dmitry Zadvornykh
BIN-Bank
http://www.binbank.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1994096311.20040825162736>