From owner-freebsd-stable Fri Aug 25 20:31:22 2000 Delivered-To: freebsd-stable@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 884D037B424 for ; Fri, 25 Aug 2000 20:31:14 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id UAA20513; Fri, 25 Aug 2000 20:30:37 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda20509; Fri Aug 25 20:30:20 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id UAA52674; Fri, 25 Aug 2000 20:30:20 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdQ52664; Fri Aug 25 20:29:25 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e7Q3TPq87381; Fri, 25 Aug 2000 20:29:25 -0700 (PDT) Message-Id: <200008260329.e7Q3TPq87381@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdz87369; Fri Aug 25 20:28:37 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: tucka Cc: freebsd-stable@FreeBSD.ORG Subject: Re: ipnat fails under load In-reply-to: Your message of "Fri, 25 Aug 2000 20:55:40 MDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 25 Aug 2000 20:28:37 -0700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message , tu cka writes: > You can add me to the list of people who have problems with ipfilter > under load. 3 boxes, 2 with 4.1-S ipf 3.4.8 and 1 with 4.0-S ipf 3.3.8. > It doesn't seem to be so much a problem with how many clients are > accessing the server, but rather just a matter of time. All 3 boxes > consistently fail after 2 to 4 hours of use. Some can be "saved" via > an ipf -Fa and reloading, but usually they need to be restarted. I've > had to go back to SUSE *blech* on one box because it was just unusable. > If there is any other info I can provide to help resolve this issue please > don't hesitate to ask. What's your configuration? Could you list your IPF and NAT rules? Next time you have a "freeze", issue ipfstat -s and ipfstat -sl. If you're using statefull filtering, could it be that your state table has filled. What type of traffic do you generally have going through your firewalls? If you use a lot of FTP and use the FTP proxy, 3.4.8 is broken for some FTP clients -- upgrade to 3.4.9. If you use RCMD proxy with rcp or krcp, your state and NAT tables will fill up very quickly, eventually hanging the box. I have IPF running on my gateway at home (4.1R), 4 FreeBSD 4.1-R systems at work (+ 12 Solaris systems), and on two systems at a friend's ISP (one running 3.4S and the other running 4.0R). The versions of IPF range from 3.3.7 - 3.4.9. All without problem. One thing to note is that I've disabled IPv6 in all of my kernels (primarily because I cannot get KRB5 to work through NAT with IPv6 enabled). This is just a hunch but if you do have IPv6 enabled try disabling it. You may want to send a question to the IP Filter mailing list (ipfilter@coombs.anu.edu.au) or visit the IP Filter Web site at http://coombs.anu.edu.au/~avalon/ip-filter.html which describes how to subscribe to the IP Filter mailing list. The short of it is that you need to do more homework before posting questions. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message