From owner-freebsd-hackers  Wed Sep 26  7:20:18 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from musique.teaser.net (musique.teaser.net [213.91.2.11])
	by hub.freebsd.org (Postfix) with ESMTP id 1F59D37B42F
	for <freebsd-hackers@FreeBSD.org>; Wed, 26 Sep 2001 07:20:06 -0700 (PDT)
Received: from notbsdems.nantes.kisoft-services.com (chantilly.kisoft-services.com [193.56.60.242])
	by musique.teaser.net (Postfix) with ESMTP
	id C4DF27252B; Wed, 26 Sep 2001 16:20:03 +0200 (CEST)
Received: by notbsdems.nantes.kisoft-services.com (Postfix, from userid 1001)
	id DB31EE6B40; Wed, 26 Sep 2001 16:14:52 +0200 (CEST)
To: Mailing List IPFilter <ipfilter@coombs.anu.edu.au>
Cc: Mailing List FreeBSD Hackers <freebsd-hackers@FreeBSD.org>
Subject: FreeBSD 4.4-RELEASE & ipf 3.4.20 freeze
From: Eric Masson <e-masson@kisoft-services.com>
X-Operating-System: FreeBSD 4.4-RC i386
Date: Wed, 26 Sep 2001 16:14:52 +0200
Message-ID: <86g09aqbs3.fsf@notbsdems.nantes.kisoft-services.com>
Lines: 323
User-Agent: Gnus/5.090004 (Oort Gnus v0.04) XEmacs/21.1 (Cuyahoga Valley)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Hello,

Since I installed my DSL gateway with FreeBSD 4.4-RELEASE, the DSL link
freezes every 24 hours more or less, no more traffic possible at this
moment.

Setup is the following
ed0: link to internal lan
ed1: link to Alcatel SpeedTouch Home, no ip configuration
tun0: link brought up by ppp(8) to the Internet.

I've tried with both ppp integrated nat and ipnat, and the problem
lasts.

Output results given here were made with ppp(8) nat.

netstat -i takes a long time (1 minute) to give a result after the line
with tun0.

Ipfilter and Netgraph are loaded from /boot/loader.conf

Here are the relevant files and outputs :

## #kernel config

#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.20 2000/10/31 23:16:07 n_hibma Exp $

machine		i386
cpu		I486_CPU
ident		IBMPS1
maxusers	64

makeoptions	DEBUG=-g		#Build kernel with gdb(1) debug symbols

options 	INET			# InterNETworking
options 	FFS			# Berkeley Fast Filesystem
options 	FFS_ROOT		# FFS usable as root device [keep this!]
options 	NFS			# Network Filesystem
options 	NFS_NOSERVER		# Network Filesystem server disabled
options 	PROCFS			# Process filesystem
options 	COMPAT_43		# Compatible with BSD 4.3 [KEEP THIS!]
options 	USERCONFIG		# boot -c editor
options		ICMP_BANDLIM		# Rate limit bad replies
options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev

# Isa bus
device		isa

# Floppy drives
device		fdc0	at isa? port IO_FD1 irq 6 drq 2
device		fd0	at fdc0 drive 0

# ATA and ATAPI devices
device		ata0	at isa? port IO_WD1 irq 14
device		atadisk			# ATA disk drives
device		atapicd			# ATAPI CDROM drives

# Console control
device		atkbdc0	at isa? port IO_KBD
device		atkbd0	at atkbdc? irq 1 flags 0x1
device		psm0	at atkbdc? irq 12
device		vga0	at isa?
device		sc0	at isa? flags 0x100

# Floating point support - do not disable.
device		npx0	at nexus? port IO_NPX irq 13

# Serial (COM) ports
device		sio0	at isa? port IO_COM1 flags 0x10 irq 4
device		sio1	at isa? port IO_COM2 irq 3

# ISA Ethernet NICs
device		miibus
device		ed0	at isa? port 0x280 irq 5
device		ed1	at isa? port 0x300 irq 10

# Pseudo devices - the number indicates how many units to allocated.
pseudo-device	loop		# Network loopback
pseudo-device	ether		# Ethernet support
pseudo-device	tun		# Packet tunnel.
pseudo-device	pty		# Pseudo-ttys (telnet etc)
pseudo-device	bpf		# Berkeley packet filter
pseudo-device	vn		# Vnode driver

## ppp.conf

default:
 set log Phase tun command
 set ifaddr 10.0.0.1/0 10.0.0.2/0
    
teaser:
 set device PPPoE:ed1
 set authname xxxxxxx
 set authkey yyyyyy
 set dial
 set login
 add default HISADDR

## ppp.linkup

# Refresh Ipfilter
MYADDR:
 !bg /sbin/ipf -y

## ipf.rules

# Malformed/suspect packets on all interfaces are blocked

block	in  log quick all with opt lsrr
block	in  log quick all with opt ssrr
block	in  log quick all with ipopts
block	in  log quick proto tcp all with short
block	in  log quick proto icmp all with frag

# No restrictions on local interface

pass	in      quick on lo0 all
pass	out     quick on lo0 all

# External interface

block	in            on tun0 all
pass	in      quick on tun0 proto tcp  from any to 193.56.60.242 port = 22 flags S keep state

block	out           on tun0 all
pass	out     quick on tun0 proto tcp  from 192.168.1.0/24   to any flags S keep state keep frags
pass	out     quick on tun0 proto udp  from 192.168.1.0/24   to any         keep state
pass	out     quick on tun0 proto icmp from 192.168.1.0/24   to any         keep state
pass	out     quick on tun0 proto tcp  from 193.56.60.242/32 to any flags S keep state keep frags
pass	out     quick on tun0 proto udp  from 193.56.60.242/32 to any         keep state
pass	out     quick on tun0 proto icmp from 193.56.60.242/32 to any         keep state

# External support interface

pass	in            on ed1 all

block	in  log quick on ed1 proto tcp  all
block	in  log quick on ed1 proto udp  all
block	in  log quick on ed1 proto icmp all

pass	out           on ed1 all

block	out log quick on ed1 proto tcp  all
block	out log quick on ed1 proto udp  all
block	out log quick on ed1 proto icmp all

# Internal interface

pass	in            on ed0 all

block	in      quick on ed0 proto tcp/udp from any to any port = 137
block	in      quick on ed0 proto tcp/udp from any to any port = 138
block	in      quick on ed0 proto tcp/udp from any to any port = 139
block	in      quick on ed0 proto tcp/udp from any port = 137 to any
block	in      quick on ed0 proto tcp/udp from any port = 138 to any
block	in      quick on ed0 proto tcp/udp from any port = 139 to any

pass	out           on ed0 all

## uname -a

FreeBSD rtrbsdnantsr.nantes.kisoft-services.com 4.4-RELEASE FreeBSD 4.4-RELEASE #0: Fri Sep 21 23:03:29 CEST 2001     emss@rtrbsdnantsr.nantes.kisoft-services.com:/usr/src/sys/compile/IBMPS1  i386

## ifconfig -a

ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.168.1.15 netmask 0xffffff00 broadcast 192.168.1.255
	ether 52:54:40:25:96:c8 
ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 52:54:40:25:a4:72 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet 127.0.0.1 netmask 0xff000000 
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
	inet 193.56.60.242 --> 194.206.78.3 netmask 0xffffff00 
	Opened by PID 102

## netstat -rn

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            194.206.78.3       UGSc        1   161638   tun0
127.0.0.1          127.0.0.1          UH          0        4    lo0
192.168.1          link#1             UC          2        0    ed0
192.168.1.1        0:60:8c:95:c5:e    UHLW        0       48    ed0    948
192.168.1.21       0:80:c8:8d:14:b3   UHLW        1      117    ed0   1120
194.206.78.3       193.56.60.242      UH          1        0   tun0

## netstat -i

Name  Mtu   Network       Address            Ipkts Ierrs    Opkts Oerrs  Coll
ed0   1500  <Link#1>    52:54:40:25:96:c8   164872     0   120153     0    13
ed0   1500  192.168.1     rtrbsdnantsr         271     -      908     -     -
ed1   1500  <Link#2>    52:54:40:25:a4:72   125802     0   167462     0     5
lo0   16384 <Link#3>                             4     0        4     0     0
lo0   16384 127           localhost              4     -        4     -     -
tun0  1492  <Link#4>                        119257     0   160918     0     0
tun0  1492  193.56.60     193.56.60.242          4     -        2     -     -

## netstat -s -p ip

ip:
	284481 total packets received
	0 bad header checksums
	0 with size smaller than minimum
	0 with data size < data length
	0 with ip length > max ip packet size
	0 with header length < data size
	0 with data length < header length
	0 with bad options
	0 with incorrect version number
	0 fragments received
	0 fragments dropped (dup or out of space)
	0 fragments dropped after timeout
	0 packets reassembled ok
	476 packets for this host
	2 packets for unknown/unsupported protocol
	280464 packets forwarded (0 packets fast forwarded)
	731 packets not forwardable
	0 packets received for unknown multicast group
	0 redirects sent
	1075 packets sent from this host
	0 packets sent with fabricated ip header
	0 output packets dropped due to no bufs, etc.
	0 output packets discarded due to no route
	0 output datagrams fragmented
	0 fragments created
	0 datagrams that can't be fragmented
	0 tunneling packets that can't find gif
	0 datagrams with bad address in header

## ipf -V

ipf: IP Filter: v3.4.20 (264)
Kernel: IP Filter: v3.4.20              
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0

## ipfstat

 input packets:		blocked 2822 passed 281883 nomatch 0 counted 0 short 0
output packets:		blocked 728 passed 281719 nomatch 0 counted 0 short 0
 input packets logged:	blocked 0 passed 0
output packets logged:	blocked 0 passed 0
 packets logged:	input 0 output 0
 log failures:		input 0 output 0
fragment state(in):	kept 0	lost 0
fragment state(out):	kept 0	lost 0
packet state(in):	kept 2	lost 0
packet state(out):	kept 968	lost 0
ICMP replies:	0	TCP RSTs sent:	0
Invalid source(in):	0
Result cache hits(in):	2533	(out):	949
IN Pullups succeeded:	0	failed:	0
OUT Pullups succeeded:	0	failed:	0
Fastroute successes:	0	failures:	0
TCP cksum fails(in):	0	(out):	0
Packet log flags set: (0)
	none

## ipfstat -io

pass out quick on lo0 from any to any
block out on tun0 from any to any
pass out quick on tun0 proto tcp from 192.168.1.0/24 to any flags S/FSRPAU keep state keep frags
pass out quick on tun0 proto udp from 192.168.1.0/24 to any keep state
pass out quick on tun0 proto icmp from 192.168.1.0/24 to any keep state
pass out quick on tun0 proto tcp from 193.56.60.242/32 to any flags S/FSRPAU keep state keep frags
pass out quick on tun0 proto udp from 193.56.60.242/32 to any keep state
pass out quick on tun0 proto icmp from 193.56.60.242/32 to any keep state
pass out on ed1 from any to any
block out log quick on ed1 proto tcp from any to any
block out log quick on ed1 proto udp from any to any
block out log quick on ed1 proto icmp from any to any
pass out on ed0 from any to any
block in log quick from any to any with opt lsrr
block in log quick from any to any with opt ssrr
block in log quick from any to any with ipopt
block in log quick proto tcp from any to any with short
block in log quick proto icmp from any to any with frag
pass in quick on lo0 from any to any
block in on tun0 from any to any
pass in quick on tun0 proto tcp from any to 193.56.60.242/32 port = 22 flags S/FSRPAU keep state
pass in on ed1 from any to any
block in log quick on ed1 proto tcp from any to any
block in log quick on ed1 proto udp from any to any
block in log quick on ed1 proto icmp from any to any
pass in on ed0 from any to any
block in quick on ed0 proto tcp/udp from any to any port = netbios-ns
block in quick on ed0 proto tcp/udp from any to any port = netbios-dgm
block in quick on ed0 proto tcp/udp from any to any port = netbios-ssn
block in quick on ed0 proto tcp/udp from any port = netbios-ns to any
block in quick on ed0 proto tcp/udp from any port = netbios-dgm to any
block in quick on ed0 proto tcp/udp from any port = netbios-ssn to any

## ipnat -slv

mapped	in	0	out	0
added	0	expired	0
no memory	0	bad nat	0
inuse	0
rules	0
wilds	0
table 0xbfbffafc list 0x0
List of active MAP/Redirect filters:

List of active sessions:

List of active host mappings:


Regards

Eric Masson

-- 
Warning: file "/home/emss/misc/fortune/En_sig.dat" unreadable
Warning: file "/home/emss/misc/fortune/Fr_sig.dat" unreadable
Faut vraiment que je m'occupe de ce problème de signature :)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message