From owner-freebsd-questions@FreeBSD.ORG Thu Nov 9 19:37:05 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C294816A407 for ; Thu, 9 Nov 2006 19:37:05 +0000 (UTC) (envelope-from lars@socruel.nu) Received: from gone.xs4all.nl (gone.xs4all.nl [213.84.247.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 22D0543DB6 for ; Thu, 9 Nov 2006 19:36:18 +0000 (GMT) (envelope-from lars@socruel.nu) Received: from saturnus.intra.socruel.nu (saturnus.intra.socruel.nu [172.16.0.12]) by gone.xs4all.nl (Postfix) with ESMTP id AAC4833C20; Thu, 9 Nov 2006 20:36:16 +0100 (CET) MIME-Version: 1.0 Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Thu, 9 Nov 2006 20:21:10 +0100 Message-ID: <302F75DC2739FB43B236373398A8C5992993@saturnus.intra.socruel.nu> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: System (Firewall - IP filter) freezes sometimes thread-index: AccEM/8Vb4hf5emkTOOT40pGkt2qOw== From: "Lars Wittebrood" To: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: ipfilter@coombs.anu.edu.au Subject: System (Firewall - IP filter) freezes sometimes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2006 19:37:05 -0000 Hello lists, I have a 6.1-RELEASE-p10 system running IP Filter which comes with 6.1 acting as a firewall for my small home network. This system freezes when handling a lot of data, ie. With an upload of a 60Meg file to the firewall through SFTP from OpenSSH or when accessing large webpages. With freezes I mean doesn't accept any new connections, doesn't respond on the keyboard. After 3 or 4 minutes the system 'lives' again. Nothing valueable is logged in the meantime. The NICs used are Intel Gbit Desktop adapter and the system is using the 'em' driver for this. I am running IP Filter as a module. The freeze doesn't happen when the IP Filter kernel module is unloaded! me@firewall me $ uname -a FreeBSD firewall.domain.nu 6.1-RELEASE-p10 FreeBSD 6.1-RELEASE-p10 #0: Thu Nov 2 16:00:30 CET 2006 root@firewall.domain.nu:/usr/obj/usr/src/sys/FIREWALL i386 me@firewall me $ ipf -V ipf: IP Filter: v4.1.8 (416) The sysctl.conf file of the system. # $FreeBSD: src/etc/sysctl.conf,v 1.8 2003/03/13 18:43:50 mux Exp $ # # This file is read when going to multi-user and its contents piped thru # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. # #----------------------------------------------------------------------- - # Disable kernel coredumps #----------------------------------------------------------------------- - kern.coredump=3D0 #----------------------------------------------------------------------- - # Some hardening options #----------------------------------------------------------------------- - security.bsd.see_other_uids=3D0 security.bsd.see_other_gids=3D0 #----------------------------------------------------------------------- - # Some networking options #----------------------------------------------------------------------- - net.inet.tcp.blackhole=3D2 net.inet.udp.blackhole=3D1 net.inet.ip.random_id=3D1 #----------------------------------------------------------------------- - # TCP/IP stack hardening #----------------------------------------------------------------------- - # Decrease the ARP cache cleanup interval net.link.ether.inet.max_age=3D1200 # Disable ICMP broadcast echo activity net.inet.icmp.bmcastecho=3D0 # Disable ICMP routing redirects net.inet.ip.redirect=3D0 # Disable ICMP broadcast probes net.inet.icmp.maskrepl=3D0 # Disable IP source routing net.inet.ip.sourceroute=3D0 net.inet.ip.accept_sourceroute=3D0 # Increase resiliance under heavy TCP load kern.ipc.somaxconn=3D1024 # Set TCP send and receive window sizes net.inet.tcp.sendspace=3D32768 net.inet.tcp.recvspace=3D32768 Anyone any idea what this is about? Regards, Lars Wittebrood.