From owner-freebsd-stable Mon Jan 21 23: 8: 2 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by hub.freebsd.org (Postfix) with ESMTP id 54FC437B402 for ; Mon, 21 Jan 2002 23:07:58 -0800 (PST) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.33 #2) id 16Sv3y-000OFW-00 for freebsd-stable@freebsd.org; Tue, 22 Jan 2002 09:09:46 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.33 #2) id 16Sv3x-000OFI-00; Tue, 22 Jan 2002 09:09:45 +0200 Received: from bvi by shell.devco.net with local (Exim 3.33 #4) id 16Sv7Y-000384-00; Tue, 22 Jan 2002 09:13:28 +0200 Date: Tue, 22 Jan 2002 09:13:28 +0200 From: Barry Irwin To: "Robert D. Hughes" Cc: freebsd-stable@freebsd.org Subject: Re: NATD, or another one I haven't seen before Message-ID: <20020122091328.L32746@itouchlabs.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rob@robhughes.com on Mon, Jan 21, 2002 at 11:48:54AM -0600 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 93214-1011683386-14169@mx1.dev.itouchnet.net version $Name: REL_2_0_2 $ Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I dont think this is neccesarily a new source code related bug. During the CodeRed / CodeRedII sagas of last year I had a number of NATD's lock up On a range of boxes from 4.3 right to 4.0, they exhibited a massive growth in memory usage 30MB+ and CPU time. Packets were getting handled, but ere taking forever, I was getting ping times on the order of 400 seconds. This also occured on network segments in 4 different continents. Again a pile of arp traffic was seen on the external side of the firewalls. My initial response was that state table swere filling up because of all the incomplete connections, but tests with synfloods by muself were unable to duplicate the problem. Barry -- Barry Irwin bvi@itouchlabs.com +27214875150 Systems Administrator: Networks And Security Itouch Labs http://www.itouchlabs.com South Africa On Mon 2002-01-21 (11:48), Robert D. Hughes wrote: > > CVSUP from 1/16, running natd with command /sbin/natd -config /etc/natd.conf -n dc0. Config file is: > > log_denied > log_facility security > use_sockets > same_ports > unregistered_only > redirect_port tcp x.x.x.x:80 x.x.x.x:80 > redirect_port tcp x.x.x.x:443 x.x.x.x:443 > redirect_port tcp x.x.x.x:8880 x.x.x.x:8880 > redirect_port tcp x.x.x.x:2953 x.x.x.x:2953 > redirect_port tcp x.x.x.x:2954 x.x.x.x:2954 > dynamic > punch_fw 10000:1000 > > I'm going to try removing the log options and see if it improves. but since this is a new issue with the recent cvs build, I did want to send out a query. > > What I'm seeing is natd going to well over 90% cpu on this box, which has never happened before to the best of my knowledge. What tcpdump is showing my is very large amounts of arp traffic on the external interface from a large part of the 12.237/16 network (yeah, I know, lame provider). Has anyone else been running into similar issues? > > "Great spirits have always encountered violent opposition from mediocre minds." -- Albert Einstein > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message