From owner-freebsd-bugs Thu Feb 4 10:30:04 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA28946 for freebsd-bugs-outgoing; Thu, 4 Feb 1999 10:30:04 -0800 (PST) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA28904 for ; Thu, 4 Feb 1999 10:30:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.2/8.9.2) id KAA93676; Thu, 4 Feb 1999 10:30:00 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from dreams.dragondata.com (oven.dragondata.com [204.137.237.253] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA28470 for ; Thu, 4 Feb 1999 10:28:09 -0800 (PST) (envelope-from toasty@dreams.dragondata.com) Received: (from toasty@localhost) by dreams.dragondata.com (8.9.1/8.9.1) id MAA03181; Thu, 4 Feb 1999 12:29:07 -0600 (CST) (envelope-from toasty) Message-Id: <199902041829.MAA03181@dreams.dragondata.com> Date: Thu, 4 Feb 1999 12:29:07 -0600 (CST) From: toasty@dragondata.com Reply-To: toasty@dragondata.com To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: kern/9910: Heavy traffic renders FreeBSD acting as firewall unusable Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 9910 >Category: kern >Synopsis: Heavy traffic renders FreeBSD acting as firewall unusable >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Feb 4 10:30:00 PST 1999 >Closed-Date: >Last-Modified: >Originator: Kevin Day >Release: FreeBSD 3.0-RELEASE i386 >Organization: DragonData Internet Services >Environment: FreeBSD 3.0-RELEASE system positioned between my router and my switch, acting as a firewall, using ipfw. FreeBSD 3.0-RELEASE #3: Thu Nov 26 01:53:51 CST 1998 toasty@dreams.dragondata.com:/usr/src/sys/compile/DREAMS Timecounter "i8254" frequency 1193182 Hz cost 3912 ns Timecounter "TSC" frequency 200455820 Hz cost 124 ns CPU: Pentium/P54C (200.46-MHz 586-class CPU) Origin = "GenuineIntel" Id = 0x52c Stepping=12 Features=0x1bf real memory = 67108864 (65536K bytes) avail memory = 62947328 (61472K bytes) Probing for devices on PCI bus 0: chip0: rev 0x04 on pci0.0.0 chip1: rev 0x00 on pci0.1.0 chip2: rev 0x41 on pci0.7.0 ide_pci0: rev 0x06 on pci0.7.1 chip3: rev 0x02 int d irq 11 on pci0.7.2 chip4: rev 0x10 on pci0.7.3 xl0: <3Com 3c905B Fast Etherlink XL 10/100BaseTX> rev 0x24 int a irq 10 on pci0.8.0 xl0: Ethernet address: 00:10:4b:74:fc:cb xl0: autoneg not complete, no carrier (forcing half-duplex, 10Mbps) fxp0: rev 0x05 int a irq 12 on pci0.9.0 fxp0: Ethernet address 00:a0:c9:e5:5c:ad de0: rev 0x22 int a irq 5 on pci0.10.0 de0: 21140A [10-100Mb/s] pass 2.2 de0: address 00:40:05:41:d3:32 vga0: rev 0x00 int a irq 9 on pci0.11.0 bash-2.02$ ifconfig -a xl0: flags=8842 mtu 1500 ether 00:10:4b:74:fc:cb media: 10baseT/UTP (autoselect) supported media: autoselect 100baseTX 100baseTX 100baseTX 10baseT/UTP 10baseT/UTP 10baseT/UTP fxp0: flags=8843 mtu 1500 inet 204.137.237.240 netmask 0xffffff00 broadcast 204.137.237.255 inet 205.253.12.240 netmask 0xffffff00 broadcast 205.253.12.255 inet 204.137.237.151 netmask 0xffffffff broadcast 204.137.237.151 ether 00:a0:c9:e5:5c:ad media: autoselect supported media: autoselect 100baseTX 100baseTX 10baseT/UTP 10baseT/UTP de0: flags=8843 mtu 1500 inet 204.137.237.253 netmask 0xfffffffc broadcast 204.137.237.255 inet 205.253.12.253 netmask 0xfffffffc broadcast 205.253.12.255 ether 00:40:05:41:d3:32 media: autoselect (10baseT/UTP) status: active supported media: autoselect 100baseTX 100baseTX 10baseT/UTP 10baseT/UTP >Description: We had a user run the program 'bmb' (available from rootshell, i believe) directed at a dialup user on another ISP. This program sends packets as quickly as possible to an address given. While the server sending the packets was fine (had a load average of .80, but otherwise no problems), the router was fine (showed about 2MB/sec coming into its ethernet address) but the firewall wasn't. Internet <-- Router <-- de0 <- (firewall) -> fxp0 --> switch --> lan Pinging/telnetting to the address on the fxp0 interface got no response, from either side of the network. I got ping responses on the de0 interface address from both the internet and the lan, a telnet would connect, but i'd never get a login response. After figuring out what was going on, I killed the program, and everything returned to normal. The load average on the firewall was still 0.00, 0.00, 0.00 (I know that a lot of what would have been going on was in the kernel though) No errors were generated, and I got no clues as to what was happening. The system was also unresponsive to the console during this. A case of too many interrupts, perhaps? >How-To-Repeat: Try 'bmb' through a firewall system >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message