Date: Thu, 24 Jul 2008 04:12:44 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Robert Jameson <rj@dawnshosting.com> Cc: freebsd-stable <freebsd-stable@freebsd.org>, cperciva@freebsd.org Subject: Re: network problems 7.0-p3: sendto: Operation not permitted Message-ID: <20080724111244.GA44703@eos.sc1.parodius.com> In-Reply-To: <9072a4470807240321y59f827fdn287011c0336ae866@mail.gmail.com> References: <9072a4470807232259x603f46k49474f5eb309d0fa@mail.gmail.com> <20080724074919.GA36163@eos.sc1.parodius.com> <9072a4470807240255v4d3f8e72gf8bfb39999b2dcbd@mail.gmail.com> <9072a4470807240321y59f827fdn287011c0336ae866@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 24, 2008 at 06:21:53AM -0400, Robert Jameson wrote: > Still don't know whats going on, im currently sitting here with no firewall > between me and the internet (very nervous) seeing if it fixes the problems, > as of right this moment, still seeing permission denied errors. Okay, then the problem isn't with pf, although f/w rules are the only thing I've personally experienced which induces those messages. How did you disable the firewall, by the way? > > Can you provide uname -a output? There was a "cable modem compatibility > > fix" applied to FreeBSD a while ago (a user informed me of such), > > although I do not know if it applies to you, as I do not know the > > original symptoms. I believe that fix was also just for TCP. > > > > FreeBSD cube.dawnshosting.com 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #5: Wed > Jul 16 21:55:02 EDT 2008 > root@cube.dawnshosting.com:/usr/obj/usr/src/sys/CUBE > i386 > > Was the patch applied upstream? if not and its not too much trouble can you > point me in the direction of it. The patch was applied to RELENG_7 on Marth 13th and RELENG_7_0 on June 19th. I don't know which tag you're tracking for src, so I can't tell you if you've got the patch or not: 1.141.2.4 +10 -2 src/sys/netinet/tcp_output.c 1.157.2.2 +5 -2 src/sys/netinet/tcp_var.h http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_output.c http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_var.h For a discussion of this (read between the lines): http://lists.freebsd.org/pipermail/freebsd-stable/2008-July/043595.html > > > Jul 20 22:15:39 cube kernel: Limiting open port RST response from 318 to > > 200 > > > packets/sec > > > > This indicates a high number of ICMP packets being received. Keep in > > mind this can also be seen due to TCP connections which are being reset > > and other such things -- ICMP is at a higher layer than TCP. > > > > I don't think there's necessarily anything "wrong" with that number (you > > show up to 740), but it would be worthwhile investigating what's > > > > > soliciting that amount of ICMP traffic. Are you seeing this 24x7x365? > > > Yes its constant. let it me known i also have a 2 network cards in the > machne, 1 into my cable modem and nother into a linksys 16port vpn router. > the defaultrouter is set to a WAN IP (not 10.192.240.1), not that any of > that matters, i dont think? No one will know without you describing your network (with IPs and netmasks), and providing netstat -rn output. > > > /etc/sysctl.conf > > > net.inet.icmp.icmplim=2000 > > > > > > I know it seems abit high, but i kept adjusting until the error went > > away. > > > (not really fixing the problem?) > > > > It's not a big high; FreeBSD's 200 default is too low for any production > > server, if you ask me. Setting it to 2000 is probably fine. > > > I read a bit about it from the handbook, i think it's a non issue. > > Might be worth mentioning the only real service change to this machine was > an ircd daemon w/ about 500 users. I see. God help you. Your file descriptor problem with bind may be because of this. IRC servers commonly chew socket resources at a crazy rate, especially if you're under some form of TCP-based attack (which might also explain the ICMP errors, induced by TCP RST). You may want to look at the kern.maxfiles and kern.maxfilesperproc sysctls, and read this. http://www.freebsd.org/doc/en/books/handbook/configtuning-kernel-limits.html I don't mean to be rude, but I'd highly recommend avoid running a public IRC server unless you have significant familiarity with your OS, network topology, and have a very robust firewall (read: Cisco or Juniper) *in front* of the machine acting as an IRC server -- and even then, ask yourself if it's worth it. IRC servers are harassment magnets, and you will end up being the target of that harassment. > > > Is this an attack? > > > > > > 01:55:41.231722 IP cube.dawnshosting.com > purple.haze.bluntroll.in: > > ICMP > > > echo request, id 22055, seq 37084, length 64 > > > 01:55:42.232794 IP cube.dawnshosting.com > purple.haze.bluntroll.in: > > ICMP > > > echo request, id 22055, seq 37085, length 64 > > > > At this rate (1 ICMP packet a second), absolutely not. You also don't > > mention which FQDN/IP is yours; I assume "cube.dawnshosting.com", based > > on your local hostname in the above. Your machine is sending out an > > ICMP ping packet to purple.haze.bluntroll.in every 1 second. If you > > don't know why, you need to investigate why. > > > > Correct, cube.dawnshosting.com is the actual FreeBSD machinr. > sorry for the newbish question, off the top of your head how can i see > who/what is using this process? FreeBSD comes with sockstat, which should suffice for this. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080724111244.GA44703>