From owner-freebsd-current@FreeBSD.ORG Wed Jan 19 08:25:43 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0E1916A4CE for ; Wed, 19 Jan 2005 08:25:43 +0000 (GMT) Received: from picard.newmillennium.net.au (220-245-208-145-act.tpgi.com.au [220.245.208.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7581F43D5D for ; Wed, 19 Jan 2005 08:25:42 +0000 (GMT) (envelope-from alastair@newmillennium.net.au) Received: from riker (riker.nmn.cafn [10.0.1.2])j0J8PetO054332 for ; Wed, 19 Jan 2005 19:25:40 +1100 (EST) (envelope-from alastair@newmillennium.net.au) From: Sender: "Alastair D'Silva" To: Date: Wed, 19 Jan 2005 19:25:40 +1100 Organization: New Millennium Networking Message-ID: <004501c4fe00$76180fc0$0201000a@riker> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: IPFW problems X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jan 2005 08:25:43 -0000 I have recently (the last week or so, but possible longer as I had updated the system prior to going on a 3 week holiday) been having some problems with IPFW under -CURRENT. I am running: bash-2.05b$ uname -a FreeBSD picard.newmillennium.net.au 6.0-CURRENT FreeBSD 6.0-CURRENT #38: Sun Jan 16 18:27:30 EST 2005 root@picard.newmillennium.net.au:/usr/obj/usr/src/sys/PICARD i386 What happens is that I occasionally (every 5 minutes or so) get the following: Jan 19 16:54:41 picard kernel: ipfw: ouch!, skip past end of rules, denying packet And then a (random) TCP connection is dropped. What is interesting is that every possible path through the firewall matches a rule. I can provide a copy of the firewall rules on request. My firewall uses the following features, in addition to the standard allow/deny rules: Dummynet Stateful rules (check-state, keep-state) Skipto's Forwarding (fwd) Some more stuff from the system, in case it helps: bash-2.05b$ sysctl -a | grep ip\.fw net.inet.ip.fw.enable: 1 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 0 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 343 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.static_count: 184 net.inet.ip.fw.dyn_ack_lifetime: 1800 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_keepalive: 1 My kernel options regarding the firewall are: options IPFIREWALL options IPDIVERT options IPFIREWALL_FORWARD options DUMMYNET options HZ=1000 -- Alastair D'Silva mob: 0413 485 733 Networking Consultant fax: 0413 181 661 New Millennium Networking web: http://www.newmillennium.net.au