From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 6 19:58:07 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC53B16A4CE; Mon, 6 Dec 2004 19:58:07 +0000 (GMT) Received: from mx.hostarica.com (mx.hostarica.com [196.40.45.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B98343D6A; Mon, 6 Dec 2004 19:58:07 +0000 (GMT) (envelope-from jose@hostarica.net) Received: from localhost (localhost.hostarica.com [127.0.0.1]) by mx.hostarica.com (Postfix) with ESMTP id 9E001F7F1; Mon, 6 Dec 2004 10:36:27 -0600 (CST) Received: from jose.hostarica.net (unknown [192.168.0.69]) by mx.hostarica.com (Postfix) with ESMTP id 4123EF7EF; Mon, 6 Dec 2004 10:36:26 -0600 (CST) From: Jose Hidalgo Herrera To: martes.wigglesworth@us.army.mil In-Reply-To: <1102347832.675.41.camel@Mobile1.276NET> References: <1102347832.675.41.camel@Mobile1.276NET> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-pMjhHMtGRdU+5qgf3Q9a" Organization: Corp. Hostarica Date: Mon, 06 Dec 2004 10:35:03 -0600 Message-Id: <1102350903.43918.5.camel@jose.hostarica.net> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port X-Virus-Scanned: by amavisd 0.1 cc: ipfw-mailings cc: newbies freebsd list cc: jose@hostarica.com cc: freebsd-questions Subject: Re: Weird lockup of network traffic... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jose@hostarica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 19:58:08 -0000 --=-pMjhHMtGRdU+5qgf3Q9a Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable It seem you need a "check-state" rule somewhere ! You also have very insecure sets your rule #99 its a waste,=20 you use keep-state, but never match the=20 dynamic rules with check-state Give me your complete set and I'll try to=20 fix it. El lun, 06-12-2004 a las 18:43 +0300, martes wigglesworth escribi=F3: > Hello list. >=20 > I have experienced a very unusual glich, that I cannot explain. All of > a sudden, my network router box became non-complient with internet > traffic requests. At first, I thought that it was because I had to > restart bind 8 with ndc resart, however, after restarting the service, I > still continued to recieve failed server errors. After attempting to > ping my provider, I noticed that I came accross this message:ping: >=20 > sendto: No buffer space available > ping: sendto: No buffer space available > ping: sendto: No buffer space available > ping: sendto: No buffer space available >=20 > What does this indicate? I am still learning, and do not have > significant experience/knowledge with any type of frame buffers, or > kernel programming. I can only suspect that maybe my firewalling rules > clogged some sort of buffers for the kernel. I don't really know, that > is the only thing that I can think of. I have the following firewalling > rules setup: >=20 > 00098 124 8614 allow ip from any to any via lo0 > 00099 0 0 allow ip from 127.0.0.1 to 127.0.0.1 > 00100 617 69897 allow tcp from any to any dst-port 22 setup > keep-state > 00102 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port > 67,68 setup keep-state > 00103 0 0 allow udp from any to any dst-port 53 via > keep-state > 00104 685 79362 deny udp from any to any dst-port 137,138,513 > 00106 0 0 allow udp from any to any dst-port 33435-33524 > keep-state > 00110 0 0 allow log ip from any to { 192.168.1.0/24 or dst-ip > 192.168.2.0/24 } in recv sis0 > 00200 15704 10185681 divert 8668 ip from any to any via sis0 > 00300 6267 8810869 queue 1 log ip from any to 192.168.1.0/24 out { > xmit xl0 or xmit rl0 } > 00301 1715 777060 queue 2 log ip from any to 192.168.2.0/24 out { > xmit xl0 or xmit rl0 } > 65535 25856 10939503 allow ip from any to any >=20 > My pipe configs are as follows: > 00001: 256.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > 00002: 128.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > q00001: weight 1 pipe 1 50 sl. 4 queues (64 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 12 ip 0.0.0.0/0 192.168.1.28/0 56 4856 0 =20 > 0 0 > 15 ip 0.0.0.0/0 192.168.1.31/0 136 20860 0 =20 > 0 0 > 26 ip 0.0.0.0/0 192.168.1.10/0 6294 9165950 0 =20 > 0 0 > 35 ip 0.0.0.0/0 192.168.1.51/0 46 5351 0 =20 > 0 0 > q00002: weight 1 pipe 2 50 sl. 4 queues (64 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 11 ip 0.0.0.0/0 192.168.2.27/0 29 4396 0 =20 > 0 0 > 13 ip 0.0.0.0/0 192.168.2.29/0 156 62105 0 =20 > 0 0 > 44 ip 0.0.0.0/0 192.168.2.60/0 1659 812626 0 =20 > 0 0 > 53 ip 0.0.0.0/0 192.168.2.37/0 26 1176 0 =20 > 0 0 >=20 > Any help is much appreciated. >=20 --=20 Jose Hidalgo Herrera Corp. Hostarica --=-pMjhHMtGRdU+5qgf3Q9a Content-Type: application/pgp-signature; name=signature.asc Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBtIo3Mb674RVSRIARAvc7AKCSSh+X19rVhqSr6XWYU060yDnnAgCeI0SI JGc2e9FWp15ge/Ywgx6AuLg= =mQ+3 -----END PGP SIGNATURE----- --=-pMjhHMtGRdU+5qgf3Q9a--