Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Jan 2005 19:25:40 +1100
From:      <freebsd@newmillennium.net.au>
To:        <current@freebsd.org>
Subject:   IPFW problems
Message-ID:  <004501c4fe00$76180fc0$0201000a@riker>
next in thread | raw e-mail | index | archive | help 
I have recently (the last week or so, but possible longer as I had
updated the system prior to going on a 3 week holiday) been having some
problems with IPFW under -CURRENT.

I am running:
bash-2.05b$ uname -a
FreeBSD picard.newmillennium.net.au 6.0-CURRENT FreeBSD 6.0-CURRENT #38:
Sun Jan 16 18:27:30 EST 2005
root@picard.newmillennium.net.au:/usr/obj/usr/src/sys/PICARD  i386


What happens is that I occasionally (every 5 minutes or so) get the
following: 
Jan 19 16:54:41 picard kernel: ipfw: ouch!, skip past end of rules,
denying packet

And then a (random) TCP connection is dropped. What is interesting is
that every possible path through the firewall matches a rule. I can
provide a copy of the firewall rules on request.

My firewall uses the following features, in addition to the standard
allow/deny rules:

Dummynet
Stateful rules (check-state, keep-state)
Skipto's
Forwarding (fwd)

Some more stuff from the system, in case it helps:
bash-2.05b$ sysctl -a | grep ip\.fw
net.inet.ip.fw.enable: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 0
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 1
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 343
net.inet.ip.fw.dyn_max: 4096
net.inet.ip.fw.static_count: 184
net.inet.ip.fw.dyn_ack_lifetime: 1800
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_keepalive: 1

My kernel options regarding the firewall are:
options         IPFIREWALL
options         IPDIVERT
options         IPFIREWALL_FORWARD
options         DUMMYNET
options         HZ=1000

-- 
Alastair D'Silva           mob: 0413 485 733
Networking Consultant      fax: 0413 181 661
New Millennium Networking  web: http://www.newmillennium.net.au

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004501c4fe00$76180fc0$0201000a>