Date: Wed, 26 Sep 2001 16:14:52 +0200 From: Eric Masson <e-masson@kisoft-services.com> To: Mailing List IPFilter <ipfilter@coombs.anu.edu.au> Cc: Mailing List FreeBSD Hackers <freebsd-hackers@FreeBSD.org> Subject: FreeBSD 4.4-RELEASE & ipf 3.4.20 freeze Message-ID: <86g09aqbs3.fsf@notbsdems.nantes.kisoft-services.com>
next in thread | raw e-mail | index | archive | help
Hello,
Since I installed my DSL gateway with FreeBSD 4.4-RELEASE, the DSL link
freezes every 24 hours more or less, no more traffic possible at this
moment.
Setup is the following
ed0: link to internal lan
ed1: link to Alcatel SpeedTouch Home, no ip configuration
tun0: link brought up by ppp(8) to the Internet.
I've tried with both ppp integrated nat and ipnat, and the problem
lasts.
Output results given here were made with ppp(8) nat.
netstat -i takes a long time (1 minute) to give a result after the line
with tun0.
Ipfilter and Netgraph are loaded from /boot/loader.conf
Here are the relevant files and outputs :
## #kernel config
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.20 2000/10/31 23:16:07 n_hibma Exp $
machine i386
cpu I486_CPU
ident IBMPS1
maxusers 64
makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options FFS_ROOT # FFS usable as root device [keep this!]
options NFS # Network Filesystem
options NFS_NOSERVER # Network Filesystem server disabled
options PROCFS # Process filesystem
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options USERCONFIG # boot -c editor
options ICMP_BANDLIM # Rate limit bad replies
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
# Isa bus
device isa
# Floppy drives
device fdc0 at isa? port IO_FD1 irq 6 drq 2
device fd0 at fdc0 drive 0
# ATA and ATAPI devices
device ata0 at isa? port IO_WD1 irq 14
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
# Console control
device atkbdc0 at isa? port IO_KBD
device atkbd0 at atkbdc? irq 1 flags 0x1
device psm0 at atkbdc? irq 12
device vga0 at isa?
device sc0 at isa? flags 0x100
# Floating point support - do not disable.
device npx0 at nexus? port IO_NPX irq 13
# Serial (COM) ports
device sio0 at isa? port IO_COM1 flags 0x10 irq 4
device sio1 at isa? port IO_COM2 irq 3
# ISA Ethernet NICs
device miibus
device ed0 at isa? port 0x280 irq 5
device ed1 at isa? port 0x300 irq 10
# Pseudo devices - the number indicates how many units to allocated.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
pseudo-device tun # Packet tunnel.
pseudo-device pty # Pseudo-ttys (telnet etc)
pseudo-device bpf # Berkeley packet filter
pseudo-device vn # Vnode driver
## ppp.conf
default:
set log Phase tun command
set ifaddr 10.0.0.1/0 10.0.0.2/0
teaser:
set device PPPoE:ed1
set authname xxxxxxx
set authkey yyyyyy
set dial
set login
add default HISADDR
## ppp.linkup
# Refresh Ipfilter
MYADDR:
!bg /sbin/ipf -y
## ipf.rules
# Malformed/suspect packets on all interfaces are blocked
block in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block in log quick proto tcp all with short
block in log quick proto icmp all with frag
# No restrictions on local interface
pass in quick on lo0 all
pass out quick on lo0 all
# External interface
block in on tun0 all
pass in quick on tun0 proto tcp from any to 193.56.60.242 port = 22 flags S keep state
block out on tun0 all
pass out quick on tun0 proto tcp from 192.168.1.0/24 to any flags S keep state keep frags
pass out quick on tun0 proto udp from 192.168.1.0/24 to any keep state
pass out quick on tun0 proto icmp from 192.168.1.0/24 to any keep state
pass out quick on tun0 proto tcp from 193.56.60.242/32 to any flags S keep state keep frags
pass out quick on tun0 proto udp from 193.56.60.242/32 to any keep state
pass out quick on tun0 proto icmp from 193.56.60.242/32 to any keep state
# External support interface
pass in on ed1 all
block in log quick on ed1 proto tcp all
block in log quick on ed1 proto udp all
block in log quick on ed1 proto icmp all
pass out on ed1 all
block out log quick on ed1 proto tcp all
block out log quick on ed1 proto udp all
block out log quick on ed1 proto icmp all
# Internal interface
pass in on ed0 all
block in quick on ed0 proto tcp/udp from any to any port = 137
block in quick on ed0 proto tcp/udp from any to any port = 138
block in quick on ed0 proto tcp/udp from any to any port = 139
block in quick on ed0 proto tcp/udp from any port = 137 to any
block in quick on ed0 proto tcp/udp from any port = 138 to any
block in quick on ed0 proto tcp/udp from any port = 139 to any
pass out on ed0 all
## uname -a
FreeBSD rtrbsdnantsr.nantes.kisoft-services.com 4.4-RELEASE FreeBSD 4.4-RELEASE #0: Fri Sep 21 23:03:29 CEST 2001 emss@rtrbsdnantsr.nantes.kisoft-services.com:/usr/src/sys/compile/IBMPS1 i386
## ifconfig -a
ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.15 netmask 0xffffff00 broadcast 192.168.1.255
ether 52:54:40:25:96:c8
ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 52:54:40:25:a4:72
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
inet 193.56.60.242 --> 194.206.78.3 netmask 0xffffff00
Opened by PID 102
## netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 194.206.78.3 UGSc 1 161638 tun0
127.0.0.1 127.0.0.1 UH 0 4 lo0
192.168.1 link#1 UC 2 0 ed0
192.168.1.1 0:60:8c:95:c5:e UHLW 0 48 ed0 948
192.168.1.21 0:80:c8:8d:14:b3 UHLW 1 117 ed0 1120
194.206.78.3 193.56.60.242 UH 1 0 tun0
## netstat -i
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
ed0 1500 <Link#1> 52:54:40:25:96:c8 164872 0 120153 0 13
ed0 1500 192.168.1 rtrbsdnantsr 271 - 908 - -
ed1 1500 <Link#2> 52:54:40:25:a4:72 125802 0 167462 0 5
lo0 16384 <Link#3> 4 0 4 0 0
lo0 16384 127 localhost 4 - 4 - -
tun0 1492 <Link#4> 119257 0 160918 0 0
tun0 1492 193.56.60 193.56.60.242 4 - 2 - -
## netstat -s -p ip
ip:
284481 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size < data length
0 with ip length > max ip packet size
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 packets reassembled ok
476 packets for this host
2 packets for unknown/unsupported protocol
280464 packets forwarded (0 packets fast forwarded)
731 packets not forwardable
0 packets received for unknown multicast group
0 redirects sent
1075 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 tunneling packets that can't find gif
0 datagrams with bad address in header
## ipf -V
ipf: IP Filter: v3.4.20 (264)
Kernel: IP Filter: v3.4.20
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
## ipfstat
input packets: blocked 2822 passed 281883 nomatch 0 counted 0 short 0
output packets: blocked 728 passed 281719 nomatch 0 counted 0 short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 2 lost 0
packet state(out): kept 968 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 2533 (out): 949
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none
## ipfstat -io
pass out quick on lo0 from any to any
block out on tun0 from any to any
pass out quick on tun0 proto tcp from 192.168.1.0/24 to any flags S/FSRPAU keep state keep frags
pass out quick on tun0 proto udp from 192.168.1.0/24 to any keep state
pass out quick on tun0 proto icmp from 192.168.1.0/24 to any keep state
pass out quick on tun0 proto tcp from 193.56.60.242/32 to any flags S/FSRPAU keep state keep frags
pass out quick on tun0 proto udp from 193.56.60.242/32 to any keep state
pass out quick on tun0 proto icmp from 193.56.60.242/32 to any keep state
pass out on ed1 from any to any
block out log quick on ed1 proto tcp from any to any
block out log quick on ed1 proto udp from any to any
block out log quick on ed1 proto icmp from any to any
pass out on ed0 from any to any
block in log quick from any to any with opt lsrr
block in log quick from any to any with opt ssrr
block in log quick from any to any with ipopt
block in log quick proto tcp from any to any with short
block in log quick proto icmp from any to any with frag
pass in quick on lo0 from any to any
block in on tun0 from any to any
pass in quick on tun0 proto tcp from any to 193.56.60.242/32 port = 22 flags S/FSRPAU keep state
pass in on ed1 from any to any
block in log quick on ed1 proto tcp from any to any
block in log quick on ed1 proto udp from any to any
block in log quick on ed1 proto icmp from any to any
pass in on ed0 from any to any
block in quick on ed0 proto tcp/udp from any to any port = netbios-ns
block in quick on ed0 proto tcp/udp from any to any port = netbios-dgm
block in quick on ed0 proto tcp/udp from any to any port = netbios-ssn
block in quick on ed0 proto tcp/udp from any port = netbios-ns to any
block in quick on ed0 proto tcp/udp from any port = netbios-dgm to any
block in quick on ed0 proto tcp/udp from any port = netbios-ssn to any
## ipnat -slv
mapped in 0 out 0
added 0 expired 0
no memory 0 bad nat 0
inuse 0
rules 0
wilds 0
table 0xbfbffafc list 0x0
List of active MAP/Redirect filters:
List of active sessions:
List of active host mappings:
Regards
Eric Masson
--
Warning: file "/home/emss/misc/fortune/En_sig.dat" unreadable
Warning: file "/home/emss/misc/fortune/Fr_sig.dat" unreadable
Faut vraiment que je m'occupe de ce problème de signature :)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86g09aqbs3.fsf>