From owner-freebsd-current@FreeBSD.ORG Wed Jan 19 10:34:12 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D97016A4CE for ; Wed, 19 Jan 2005 10:34:12 +0000 (GMT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7237F43D46 for ; Wed, 19 Jan 2005 10:34:11 +0000 (GMT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.13.1/8.13.1) with ESMTP id j0JAY2qr033204; Wed, 19 Jan 2005 05:34:02 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)j0JAY2nc033201; Wed, 19 Jan 2005 10:34:02 GMT (envelope-from robert@fledge.watson.org) Date: Wed, 19 Jan 2005 10:34:02 +0000 (GMT) From: Robert Watson X-Sender: robert@fledge.watson.org To: freebsd@newmillennium.net.au In-Reply-To: <004501c4fe00$76180fc0$0201000a@riker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: current@freebsd.org Subject: Re: IPFW problems X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jan 2005 10:34:12 -0000 On Wed, 19 Jan 2005 freebsd@newmillennium.net.au wrote: > I have recently (the last week or so, but possible longer as I had > updated the system prior to going on a 3 week holiday) been having some > problems with IPFW under -CURRENT. > > I am running: > bash-2.05b$ uname -a > FreeBSD picard.newmillennium.net.au 6.0-CURRENT FreeBSD 6.0-CURRENT #38: > Sun Jan 16 18:27:30 EST 2005 > root@picard.newmillennium.net.au:/usr/obj/usr/src/sys/PICARD i386 > > What happens is that I occasionally (every 5 minutes or so) get the > following: Jan 19 16:54:41 picard kernel: ipfw: ouch!, skip past end of > rules, denying packet This error message seems to occur when the end of the rule chain is reached without hitting a packet. The one scenario I can think of where this might happen is if the rule set somehow skips past the end of the chain. Could you confirm two things: - That your ipfw rule set contains no skiptos that push past the last rule? - That your user space ipfw(8) binary is in sync with your kernel? If there's no obvious source of a potential issue of that sort, it may be we're looking at an ipfw bug. The error message should be cleaned up/clarified even if you're seeing the results of a bug, since it's a bit unclear on what actually happened. Robert N M Watson > > And then a (random) TCP connection is dropped. What is interesting is > that every possible path through the firewall matches a rule. I can > provide a copy of the firewall rules on request. > > My firewall uses the following features, in addition to the standard > allow/deny rules: > > Dummynet > Stateful rules (check-state, keep-state) > Skipto's > Forwarding (fwd) > > Some more stuff from the system, in case it helps: > bash-2.05b$ sysctl -a | grep ip\.fw > net.inet.ip.fw.enable: 1 > net.inet.ip.fw.autoinc_step: 100 > net.inet.ip.fw.one_pass: 0 > net.inet.ip.fw.debug: 1 > net.inet.ip.fw.verbose: 1 > net.inet.ip.fw.verbose_limit: 0 > net.inet.ip.fw.dyn_buckets: 256 > net.inet.ip.fw.curr_dyn_buckets: 256 > net.inet.ip.fw.dyn_count: 343 > net.inet.ip.fw.dyn_max: 4096 > net.inet.ip.fw.static_count: 184 > net.inet.ip.fw.dyn_ack_lifetime: 1800 > net.inet.ip.fw.dyn_syn_lifetime: 20 > net.inet.ip.fw.dyn_fin_lifetime: 1 > net.inet.ip.fw.dyn_rst_lifetime: 1 > net.inet.ip.fw.dyn_udp_lifetime: 10 > net.inet.ip.fw.dyn_short_lifetime: 5 > net.inet.ip.fw.dyn_keepalive: 1 > > My kernel options regarding the firewall are: > options IPFIREWALL > options IPDIVERT > options IPFIREWALL_FORWARD > options DUMMYNET > options HZ=1000 > > -- > Alastair D'Silva mob: 0413 485 733 > Networking Consultant fax: 0413 181 661 > New Millennium Networking web: http://www.newmillennium.net.au > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >