From owner-freebsd-questions Tue Jan 29 3:52:43 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id 3055337B400 for ; Tue, 29 Jan 2002 03:52:29 -0800 (PST) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id NAA92565 for ; Tue, 29 Jan 2002 13:52:21 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: "FreeBSD Question List" Subject: ipfw and dymmynet - packets getting into tight loops, or what? Date: Tue, 29 Jan 2002 13:58:23 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi all. I have something which goes against everything I've ever seen ipfw and dummynet doing before. If you've seen this before, please help! Here is part of my firewall ruleset, as shown by 'ipfw show': ---------------------------------- 01000 30954 18484949 divert 8660 ip from any to any via xl0 01000 101831 17836728 divert 8661 ip from any to any via xl1 10010 50595268 38817317697 pipe 110 tcp from any to x.x.x.10 25 out xmit xl1 10011 1921940 103490898 pipe 110 tcp from any 25 to x.x.x.10 out xmit xl1 10012 2723 123257 pipe 111 tcp from x.x.x.10 25 to any in recv xl1 10013 383 305398 pipe 111 tcp from x.x.x.10 to any 25 in recv xl1 ---------------------------------- The thing I'm worried about is that huge volume through rule 10010. 38Gb accumulated in about 15 minutes!!! And that's through a pipe that is set as follows: ---------------------------------- ${fwcmd} pipe 110 config bw 16Kbit/s ---------------------------------- The sum total of traffic through ALL other rules during the same period was only about 65Mb, but it reports 38Gb through that one rule. To fill in the picture a bit: * The server is our internet gateway and firewall. * xl0 is the NIC attached to the exterior router. * xl1 is the NIC attached to the DMZ, where the mail server resides. * The Mail Server is Exchange on NT. * I'm running natd on both interfaces because I have some "redirect_address" directives which need to work from the outside as well as from the DMZ. * The host has a further 4 interfaces (1 NIC and 3 X.21 ports) attaching to our private networks. None of these interfaces showed this kind of behaviour. It looks like that 38Gb of data appeared out of thin air! I have changed the rule to a simple "ipfw add 10010 allow tcp ...." and now it behaves the way I would expect. But I need to make use of the DUMMYNET pipe for bandwidth restriction. Help! :-/ Regards, Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message