Date: Mon, 03 Dec 2007 11:52:12 -0500 From: Josh Endries <josh@endries.org> To: freebsd-ipfw@freebsd.org Subject: Possible problem with dyn_udp_lifetime Message-ID: <4754343C.7010009@endries.org>
next in thread | raw e-mail | index | archive | help
Hello,
Recently on my mail scanning box I've been seeing lots of these messages in my log:
Dec 3 11:09:13 scan1 Connection attempt to UDP scan1:31895 from ns1:53
Dec 3 11:09:13 scan1 Connection attempt to UDP scan1:31895 from ns1:53
This is my IPFW rule:
00100 allow udp from me to ns1 dst-port 53 keep-state
I've been trying for days to fix it and haven't been able to. From what I can
tell, my scanner is making a DNS lookup and the remote server isn't available,
so my DNS server (which I run, also FreeBSD) times out after 30 seconds and
sends a response back to my scanner. During this 30 second interval, IPFW is
expiring the keep-state part too quickly, so loses the state. I found the
dyn_udp_lifetime sysctl, which is the closest thing I can find to fix this, but
it doesn't seem to work. Here is some packet data from tcpdump:
09:36:02.906890 IP scan1.11400 > ns1.domain: 35914+ A?
135.103.202.65.combined-HIB.dnsiplists.completewhois.com. (74)
0x0000: 0060 0813 68be 0030 4871 bf14 0800 4500 .`..h..0Hq....E.
0x0010: 0066 8f3e 0000 4011 f15e d8e6 a419 d8e6 .f.>..@..^......
0x0020: a403 2c88 0035 0052 fa4d 8c4a 0100 0001 ..,..5.R.M.J....
0x0030: 0000 0000 0000 0331 3335 0331 3033 0332 .......135.103.2
0x0040: 3032 0236 350c 636f 6d62 696e 6564 2d48 02.65.combined-H
0x0050: 4942 0a64 6e73 6970 6c69 7374 730d 636f IB.dnsiplists.co
0x0060: 6d70 6c65 7465 7768 6f69 7303 636f 6d00 mpletewhois.com.
0x0070: 0001 0001 ....
09:36:32.963517 IP ns1.domain > scan1.11400: 35914 ServFail 0/0/0 (74)
0x0000: 0030 4871 bf14 0060 0813 68be 0800 4500 .0Hq...`..h...E.
0x0010: 0066 7785 0000 4011 0918 d8e6 a403 d8e6 .fw...@.........
0x0020: a419 0035 2c88 0052 cf0f 8c4a 8182 0001 ...5,..R...J....
0x0030: 0000 0000 0000 0331 3335 0331 3033 0332 .......135.103.2
0x0040: 3032 0236 350c 636f 6d62 696e 6564 2d48 02.65.combined-H
0x0050: 4942 0a64 6e73 6970 6c69 7374 730d 636f IB.dnsiplists.co
0x0060: 6d70 6c65 7465 7768 6f69 7303 636f 6d00 mpletewhois.com.
0x0070: 0001 0001 ....
As you can see, it's exactly 30 seconds between query and response. The second
packet is the one that causes the log message. The query ID is the same, thus
leading me to my hypothesis about the expiration mentioned above. Every logged
error is due to the same reason: this 30 second delay. Am I correct in thinking
that dyn_udp_lifetime should prevent this, or is that for something else? If
not, is there a setting I can use to achieve this?
I'm sure the application that's making these lookups has some sort of timeout,
otherwise this would break it I'm sure...I wonder if just removing keep-state
and letting everything in would fix that...
Thanks,
Josh
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4754343C.7010009>