Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Aug 2000 20:05:25 +0200
From:      Gerhard Sittig <Gerhard.Sittig@gmx.net>
To:        freebsd-security@freebsd.org
Subject:   Re: Strange ipnat behaviour
Message-ID:  <20000811200525.D261@speedy.gsinet>
In-Reply-To: <20000809153924.C18771@carroll.net>; from damien@carroll.com on Wed, Aug 09, 2000 at 03:39:24PM -0400
References:  <20000809153924.C18771@carroll.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Aug 09, 2000 at 15:39 -0400, Damien Tougas wrote:
> 
> [ ... ipnat on FreeBSD 3.4-Stable ... ]
> 
> The problem that we are seeing is that for some reason unknown
> to us, nat just stops working. The only way to get it to work
> again is to clear the ipnat tables and rules and re-initialize
> them using the following sequence:
> 
> /usr/sbin/ipnat -CF
> /usr/sbin/ipnat -f /etc/rc.nat
> 
> After that, everything works just fine.
> The config file we use (rc.nat) is very simple:
> 
> map de0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025:65000
> map de0 10.0.0.0/8 -> 0/32

Do you get different ip addresses and then it fails?  Your
mapping to 0/32 means "use the interface's address" and won't
work when it's not any longer the address assigned at "ipnat -f"
time.  Read "man ipf" and especially watch out for the -y switch.
I had to put something this way into ppp.linkup and ppp.linkdown
to make things work.

> Our first thought was that we might have ran out of ports, but
> we discovered that there were no more than about 3000 sessions
> active at the time.

So the number of ports is not a problem, but is memory?  These
3000 sessions have their state to be kept somewhere.  Could you
decrease the timeout to handle more connections with the same
amount of RAM?


virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000811200525.D261>