Date: Wed, 19 Jan 2005 02:42:03 -0800 From: Luigi Rizzo <rizzo@icir.org> To: Robert Watson <rwatson@freebsd.org> Cc: current@freebsd.org Subject: Re: IPFW problems Message-ID: <20050119024203.A1604@xorpc.icir.org> In-Reply-To: <Pine.NEB.3.96L.1050119103032.61646D-100000@fledge.watson.org>; from rwatson@freebsd.org on Wed, Jan 19, 2005 at 10:34:02AM %2B0000 References: <004501c4fe00$76180fc0$0201000a@riker> <Pine.NEB.3.96L.1050119103032.61646D-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 19, 2005 at 10:34:02AM +0000, Robert Watson wrote: ... > > What happens is that I occasionally (every 5 minutes or so) get the > > following: Jan 19 16:54:41 picard kernel: ipfw: ouch!, skip past end of > > rules, denying packet there was a bugfix posted for this bug a few months ago, don't remember who did it or whether it was committed i think the ipfw mailing list archives should have the msg. cheers luigi > This error message seems to occur when the end of the rule chain is > reached without hitting a packet. The one scenario I can think of where > this might happen is if the rule set somehow skips past the end of the > chain. Could you confirm two things: > > - That your ipfw rule set contains no skiptos that push past the last > rule? > > - That your user space ipfw(8) binary is in sync with your kernel? > > If there's no obvious source of a potential issue of that sort, it may be > we're looking at an ipfw bug. The error message should be cleaned > up/clarified even if you're seeing the results of a bug, since it's > a bit unclear on what actually happened. > > Robert N M Watson > > > > > > And then a (random) TCP connection is dropped. What is interesting is > > that every possible path through the firewall matches a rule. I can > > provide a copy of the firewall rules on request. > > > > My firewall uses the following features, in addition to the standard > > allow/deny rules: > > > > Dummynet > > Stateful rules (check-state, keep-state) > > Skipto's > > Forwarding (fwd) > > > > Some more stuff from the system, in case it helps: > > bash-2.05b$ sysctl -a | grep ip\.fw > > net.inet.ip.fw.enable: 1 > > net.inet.ip.fw.autoinc_step: 100 > > net.inet.ip.fw.one_pass: 0 > > net.inet.ip.fw.debug: 1 > > net.inet.ip.fw.verbose: 1 > > net.inet.ip.fw.verbose_limit: 0 > > net.inet.ip.fw.dyn_buckets: 256 > > net.inet.ip.fw.curr_dyn_buckets: 256 > > net.inet.ip.fw.dyn_count: 343 > > net.inet.ip.fw.dyn_max: 4096 > > net.inet.ip.fw.static_count: 184 > > net.inet.ip.fw.dyn_ack_lifetime: 1800 > > net.inet.ip.fw.dyn_syn_lifetime: 20 > > net.inet.ip.fw.dyn_fin_lifetime: 1 > > net.inet.ip.fw.dyn_rst_lifetime: 1 > > net.inet.ip.fw.dyn_udp_lifetime: 10 > > net.inet.ip.fw.dyn_short_lifetime: 5 > > net.inet.ip.fw.dyn_keepalive: 1 > > > > My kernel options regarding the firewall are: > > options IPFIREWALL > > options IPDIVERT > > options IPFIREWALL_FORWARD > > options DUMMYNET > > options HZ=1000 > > > > -- > > Alastair D'Silva mob: 0413 485 733 > > Networking Consultant fax: 0413 181 661 > > New Millennium Networking web: http://www.newmillennium.net.au > > > > _______________________________________________ > > freebsd-current@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-current > > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050119024203.A1604>