From owner-freebsd-questions@FreeBSD.ORG Mon Apr 1 03:36:55 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id CED6A4DB for ; Mon, 1 Apr 2013 03:36:55 +0000 (UTC) (envelope-from don@lizardhill.com) Received: from kermit.lizardhill.com (kermit.lizardhill.com [64.69.41.217]) by mx1.freebsd.org (Postfix) with ESMTP id BC7BD268 for ; Mon, 1 Apr 2013 03:36:55 +0000 (UTC) Received: from ip68-104-24-10.lv.lv.cox.net ([68.104.24.10] helo=Mickey) by kermit.lizardhill.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.62) (envelope-from ) id 1UMVVo-0006xP-HL for freebsd-questions@freebsd.org; Sun, 31 Mar 2013 20:34:24 -0700 From: "Don O'Neil" Sender: "Don O'Neil" To: Subject: Problems with IPFW causing failed DNS and FTP sessions Date: Sun, 31 Mar 2013 20:34:07 -0700 Message-ID: <049d01ce2e89$c428ab80$4c7a0280$@com> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac4uiZT4k6+P7qWtQa+VSsuGziYXWQ== Content-Language: en-us Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2013 03:36:55 -0000 Hi everyone. recently my server started having issues with DNS and FTP sessions either not resolving or timing out. I've tracked the issue down to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away. I have the basic rules like this for dns; 01160 allow udp from any to any dst-port 53 in keep-state 01161 allow tcp from any to any dst-port 53 in keep-state 01162 allow udp from any to any dst-port 53 out keep-state 01163 allow tcp from any to any dst-port 53 out keep-state When I try an nslookup sometimes they fail, sometimes they get through, even if I change my DNS server to google, my ISP, or even OpenDNS. the firewall seems to be causing the issue. I have about 65 rules in all. Any ideas what could be causing this? My server load is low, usually hovering around .2 How can I look at the actual amount of traffic that the IPFW module is processing and track down potential performance issues? My server isn't pushing much data, only around 4-5 Mbps sustained. Thanks!