From owner-freebsd-questions@FreeBSD.ORG Mon Apr 1 03:58:09 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 7837C7B2 for ; Mon, 1 Apr 2013 03:58:09 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) by mx1.freebsd.org (Postfix) with ESMTP id 4A07F321 for ; Mon, 1 Apr 2013 03:58:09 +0000 (UTC) Received: by mail-ob0-f170.google.com with SMTP id wc20so1606645obb.1 for ; Sun, 31 Mar 2013 20:58:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=dYpslKA9zwGC26eSkfM3LKG6I4BgWX+LHL3fcrB1OgI=; b=UUgc6Cm8IFI10bZsVMN7qo6nE8IpyJQO4rLOPyJ6VlaZvgUOAOj98T/SLbP9FhZJ2O bxwV7qKXe6HiL8Ewtvzmiq3fudviG8Y973i4VoEgR7k0dC1c0U8PpnBjaVmR7ghFOC7+ cH9Q7YxD053i6q5GxIBfU7KzHBwfyT+eIEsdQWY8ZgF6av3a6SuzWQW/hnkyHFPMO+oQ 6bCgfld9dZcSsMvLHiS06gtq9xmrDR9lB9pp32e4PChVquhGWyvoBfa9bm1A1iq6nJPi GPj0glDE1mat+zeYSa0usambBT2vdWfUTFTKrgLk6heXtUMsMAa3uoybcK0Qh5XGC77y 0cbA== MIME-Version: 1.0 X-Received: by 10.60.24.197 with SMTP id w5mr3462079oef.6.1364788688644; Sun, 31 Mar 2013 20:58:08 -0700 (PDT) Received: by 10.60.92.37 with HTTP; Sun, 31 Mar 2013 20:58:08 -0700 (PDT) In-Reply-To: <049d01ce2e89$c428ab80$4c7a0280$@com> References: <049d01ce2e89$c428ab80$4c7a0280$@com> Date: Sun, 31 Mar 2013 20:58:08 -0700 Message-ID: Subject: Re: Problems with IPFW causing failed DNS and FTP sessions From: Michael Sierchio To: "Don O'Neil" Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQm9WS7kb8F4ZOn/tSNluv3ZU81g5QoYxDypSsgAOyCO0EsmGfTvbCwIM3C3qtzRouPKrZm3 Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2013 03:58:09 -0000 It would be really helpful if you'd post the ruleset. At first glance, your stateful rules seem rather wrong, unless there's a check-state above. Also, in and out aren't discriminating enough - every packet is seen by the ruleset more than once. You should think in terms of interfaces, direction, etc. Are you doing NAT? Stateful rules with NAT are indeed possible, but subtle. Your problem has nothing to do with server load, and probably everything to do with not-terribly-well-conceived ruleset. Please post yours here. - M On Sun, Mar 31, 2013 at 8:34 PM, Don O'Neil wrote: > Hi everyone. recently my server started having issues with DNS and FTP > sessions either not resolving or timing out. I've tracked the issue down to > IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away. > > > > I have the basic rules like this for dns; > > > > 01160 allow udp from any to any dst-port 53 in keep-state > > 01161 allow tcp from any to any dst-port 53 in keep-state > > 01162 allow udp from any to any dst-port 53 out keep-state > > 01163 allow tcp from any to any dst-port 53 out keep-state > > > > When I try an nslookup sometimes they fail, sometimes they get through, even > if I change my DNS server to google, my ISP, or even OpenDNS. the firewall > seems to be causing the issue. > > > > I have about 65 rules in all. > > > > Any ideas what could be causing this? My server load is low, usually > hovering around .2 > > > > How can I look at the actual amount of traffic that the IPFW module is > processing and track down potential performance issues? My server isn't > pushing much data, only around 4-5 Mbps sustained. > > > > Thanks! > > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"