Date: Thu, 7 May 1998 15:49:03 +0000 (GMT) From: Chris Fanning <cfanning@jingoro.prevmed.sunysb.edu> To: freebsd-net@FreeBSD.ORG Subject: MBUFs and IPFW revisited Message-ID: <199805071549.PAA05805@jingoro.prevmed.sunysb.edu>
next in thread | raw e-mail | index | archive | help
Two questions, but first some history. A few days ago I wrote about running out of mbuf clusters. I think because of some attack. In any case, I configured my kernel for ipfw and set it up to deny fragmented packets and pings (fragmented pings pass through the "frag" rule??). This blocked the garbage from getting as far as my valuable mbuf clusters and I'm back to pause free operation... However, I now have very few mbuf clusters! I have: options "NMBCLUSTERS=1024" in my config file and have tried: options NMBCLUSTERS=1024 as well which comes from LINT. Before I configured ipfw, I had 1024 clusters and after, only 100something. I'm not about to compile another kernel w/o ipfw to see if this is the cause because at present I really need it. :) 1. So, the question becomes, does configuring ipfw into the kernel change the behavior of NMBCLUSTERS or reset it somewhere? As an aside, from tcpdump I'm getting LOTS of entries like: 15:42:14.989641 150.66.64.10 > 129.49.123.10: (frag 31221:1480@1480+) 15:42:14.990925 202.25.238.1 > 129.49.123.10: (frag 26973:1480@22200+) 15:42:15.010306 202.236.112.2 > 129.49.123.10: (frag 54785:1480@7400+) 15:42:15.083450 150.66.64.10 > 129.49.123.10: (frag 31221:1480@2960+) 15:42:15.084686 202.25.238.1 > 129.49.123.10: (frag 26973:1480@39960+) 15:42:15.090866 202.25.238.1 > 129.49.123.10: (frag 26973:1480@41440+) 15:42:15.110137 202.25.238.1 > 129.49.123.10: (frag 26973:1480@45880+) 15:42:15.118523 202.25.238.1 > 129.49.123.10: (frag 26973:1480@47360+) 15:42:15.129750 202.25.238.1 > 129.49.123.10: (frag 26973:1480@48840+) 15:43:14.373910 148.161.33.10 > 129.49.123.10: icmp: echo request (frag 51997:1480@0+) 15:43:14.427491 150.66.64.10 > 129.49.123.10: icmp: echo request (frag 31339:1480@0+) with: tcpdump -n -c 20 -p host not 129.49.123.9 2. This is an attack yes? The only problem I have with this is that I can't see this traffic with a sniffer on another machine (not plugged into the same hub). So unless someone slipped a switch under my nose I'm starting to believe Jingoro's becoming schiztophrenic. Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805071549.PAA05805>