From owner-freebsd-stable Fri Jun 30 20:56:50 2000 Delivered-To: freebsd-stable@freebsd.org Received: from mail.rdc1.va.home.com (ha1.rdc1.va.home.com [24.2.32.66]) by hub.freebsd.org (Postfix) with ESMTP id 4C2F837B5A7 for ; Fri, 30 Jun 2000 20:56:46 -0700 (PDT) (envelope-from damascus@home.com) Received: from athena ([24.3.219.36]) by mail.rdc1.va.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000701035645.NSOV9417.mail.rdc1.va.home.com@athena> for ; Fri, 30 Jun 2000 20:56:45 -0700 Message-Id: <4.2.2.20000630103332.00b6e2c0@email.eden.rutgers.edu> X-Sender: damascus@email.eden.rutgers.edu X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sat, 01 Jul 2000 00:01:03 -0500 To: freebsd-stable@freebsd.org From: Carroll Kong Subject: IPFilter 3.4.6 on a FreeBSD 3.4-RELEASE box Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi guys. I am running Ipfilter on a fbsd 3.4-release box with ipnat. After about 5 days or so, the box refuses all tcp connections. I am more willing to bet on various "noise" affects rather than any known problem, but I am curious if it was a known issue at all? (checked archives, nothing specific on this). I have seen very weird errors, such as sshd[532]: warning: can't get client address: Connection reset by peer sshd[532]: error: setsockopt IPTOS_LOWDELAY: Connection reset by peer sshd[532]: error: setsockopt TCP_NODELAY: Connection reset by peer sshd[532]: error: getpeername failed: Socket is not connected arplookup 128.11.86.107 failed: host is not on local network We are not on the 128 network either. Which is extremely odd. Does it seem like hardware issues? Bad nic? Bad ram? 64 megs of ram. Using two 3com ethernet 905Bs. Celeron 366 or so. incoming rules 0 @1 block in log quick from any to any with short 0 @2 block in log quick from any to any with opt lsrr 0 @3 block in log quick from any to any with opt ssrr 0 @4 pass in on lo0 from any to any 64 @5 block in log on xl0 from any to any 1 @6 pass in quick on xl0 proto tcp from any to 63.86.70.80/28 port = 22 flags S/0xff keep state 0 @7 pass in quick on xl0 proto tcp from any to any port = 20 keep state 0 @8 pass in quick on xl0 proto tcp from any port = 20 to any port > 1023 keep state 4 @9 block return-rst in log on xl0 proto tcp from any to any flags S/SA 0 @10 block return-icmp in log on xl0 proto udp from any to any outgoing rules 0 @1 pass out on lo0 from any to any 977 @2 block out log on xl0 from any to any 977 @3 pass out on xl0 proto tcp/udp from any to any keep state 0 @4 pass out on xl0 proto icmp from any to any keep state Do you guys see anything weird? pstat -T, netstat -m, all show up A.O.K. (nmbcluster at 4096, not even close to max usage). maxusers = 128 #pseudo-device bpfilter 4 #Berkeley packet filter options IPFILTER #kernel ipfilter support options IPFILTER_LOG #ipfilter logging options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST options "ICMP_BANDLIM" options NMBCLUSTERS=4096 I did comment out the berkeley packet filter. Almost everything else is the same, these are the only interesting kernel switches. It only runs sshd, and ipnat. If everything "seems" ok, I am going to assume hardware problems. I have used natd before, and never experienced problems. This is my first run with ipfilter in a production environment, and I am experiencing some issues. I am more likely to blame it on hardware over ipfilter in itself. So just curious if my configuration "looks" fishy or prone to some kind of "self inflicting" DoS. :) Box just randomly starts denying all TCP connects or rejecting them as if it was in a DoS. My guess is bad hardware causing a bad memory address write. I will try running natd on it later to see if there is a difference. Thanks in advance guys! -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message