Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 12 Feb 2005 03:58:07 +1030
From:      Martin Minkus <diskiller@diskiller.net>
To:        <stable@freebsd.org>
Subject:   FW: 5.3-Stable network issue
Message-ID:  <BE332F4F.18B93%diskiller@diskiller.net>
In-Reply-To: <BE3174EB.18AC8%diskiller@diskiller.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Is there some coincidence that rl1 is at irq 11 and is the card that has
problems?

diablo:/usr/src# dmesg |grep 11
Timecounter "i8254" frequency 1193182 Hz quality 0
pci_cfgintr: 0:11 INTA BIOS irq 11
pci_cfgintr: 0:7 INTD routed to irq 11
rl1: <RealTek 8139 10/100BaseTX> port 0xe800-0xe8ff mem
0xd7001000-0xd70010ff irq 11 at device 11.0 on pci0
diablo:/usr/src#=20


------ Forwarded Message
From: Martin Minkus <diskiller@diskiller.net>
Date: Thu, 10 Feb 2005 20:30:35 +1030
To: <stable@freebsd.org>
Subject: 5.3-Stable network issue

I seem to have been having a rather strange networking issue in FreeBSD
5.3-Stable (it started happening immediately after 5.2.1 and has persisted
since.. I keep =B3hoping=B2 that next time I cvsup it will be fixed, but no).

I downgraded back to 5.2.1-p13 and it is perfectly fine once again.


*** Some background information:

My FreeBSD box is my home NAT router, server, firewall, etc. It does DHCP,
MX for some of my domains, secondary DNS (I got primary elsewhere), apache
for some webhosting, blah blah blah. Nothing really special. It is a Dual
PIII-500, 512mb ram, and a couple ATA hdd=B9s. Had 3 realtek network
interfaces, but down to 2 now.

*** The problem:

Networking simply "stops" or "locks up". Why, I don't know. I believe
initially it happened for all 3 network cards... I thought tcp/ip processin=
g
or something in the kernel got locked. It happens every 30 minutes to an
hour, and lasts about 60 seconds to 120 seconds. Unfortunately, 60 seconds
to 120 seconds is long enough to kill messenger (my gf does not like),
online gaming, etc etc.

Lately, I had taken one of the realtek cards out (it was for a several km
long wireless link) and moved the server to my gf's place (where I am now
100% of the time). So now that I have the server locally and rely on it for
my internet connection, this has become a real PAIN.

I've noticed that I can remain ssh'd into diablo, do whatever I want while
this "lock" issue occurs. So the lan interface rl0 is fine. The internet
interface, rl1 (which goes to the cable modem) locks up. (btw, its not the
cable modem as I am using my gf's now, and it did this at my place on my
cable modem too, which is a different brand. Nortel at my place, motorola a=
t
my gfs).

*** Attempts:

I've attempted switching out network cards, and places 3 other realtek card=
s
in. Different brands, all with different revisions (D instead of B, etc,
etc).

No matter what I try, nothing fixes it. The machine seems perfectly
repsonsive, and I am still ssh'd in and can do whatever I want on it... But
the network card going to the cable modem has stopped responding?!

This never happened during 5.0-Current all throughout 5.2.1-STABLE, but
anywhere beyond 5.2.1 it craps itself.


*** Dmesg output:

Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD 5.2.1-RELEASE-p13 #2: Thu Feb 10 18:39:33 CST 2005
    diskiller@diablo.diskiller.net:/junk/obj/junk/src/sys/DIABLO
Preloaded elf kernel "/boot/kernel/kernel" at 0xc076c000.
MPTable: <OEM00000 PROD00000000>
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Pentium III/Pentium III Xeon/Celeron (504.72-MHz 686-class CPU)
  Origin =3D "GenuineIntel"  Id =3D 0x673  Stepping =3D 3
 =20
Features=3D0x387fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA=
,
CMOV,PAT,PSE36,PN,MMX,FXSR,SSE>
real memory  =3D 536870912 (512 MB)
avail memory =3D 516034560 (492 MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
ioapic0: Assuming intbase of 0
ioapic0 <Version 1.1> irqs 0-23 on motherboard
Pentium Pro MTRR support enabled
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcibios: BIOS version 2.10
Using $PIR table, 7 entries at 0xc00fdcf0
pcib0: <Intel 82443BX (440 BX) host to PCI bridge> at pcibus 0 on
motherboard
pci0: <PCI bus> on pcib0
pci_cfgintr: 0:10 INTA BIOS irq 10
pci_cfgintr: 0:12 INTA BIOS irq 11
agp0: <Intel 82443BX (440 BX) host to PCI bridge> mem 0xd0000000-0xd3ffffff
at device 0.0 on pci0
pcib1: <PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
isab0: <PCI-ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel PIIX4 UDMA33 controller> port 0xf000-0xf00f at device 7.1 o=
n
pci0
ata0: at 0x1f0 irq 14 on atapci0
ata0: [MPSAFE]
ata1: at 0x170 irq 15 on atapci0
ata1: [MPSAFE]
uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xe000-0xe01f at
device 7.2 on pci0
pci_cfgintr: 0:7 INTD routed to irq 11
usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
piix0: <PIIX Timecounter> port 0x5000-0x500f at device 7.3 on pci0
Timecounter "PIIX" frequency 3579545 Hz quality 0
pci0: <display, VGA> at device 8.0 (no driver attached)
rl0: <RealTek 8139 10/100BaseTX> port 0xe400-0xe4ff mem
0xd7000000-0xd70000ff irq 10 at device 10.0 on pci0
rl0: Ethernet address: 00:00:21:f2:a5:47
miibus0: <MII bus> on rl0
rlphy0: <RealTek internal media interface> on miibus0
rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
rl1: <RealTek 8139 10/100BaseTX> port 0xe800-0xe8ff mem
0xd7001000-0xd70010ff irq 11 at device 12.0 on pci0
rl1: Ethernet address: 00:40:f4:90:1c:4b
miibus1: <MII bus> on rl1
rlphy1: <RealTek internal media interface> on miibus1
rlphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
orm0: <Option ROMs> at iomem 0xc8000-0xcbfff,0xc0000-0xc7fff on isa0
pmtimer0 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
fdc0: ready for input in output
fdc0: cmd 3 failed at out byte 1 of 3
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=3D0x300>
sio0: configured irq 4 not in bitmap of probed irqs 0
sio0: port may not be enabled
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 8250 or not responding
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
unknown: <PNP0303> can't assign resources (port)
unknown: <PNP0c02> can't assign resources (memory)
unknown: <PNP0a03> can't assign resources (port)
Timecounters tick every 10.000 msec
ipfw2 initialized, divert enabled, rule-based forwarding enabled, default t=
o
deny, logging unlimited
GEOM: create disk ad0 dp=3D0xc4445260
ad0: 19569MB <WDC WD205AA-00BAA0> [39761/16/63] at ata0-master UDMA33
GEOM: create disk ad2 dp=3D0xc4445c60
ad2: 76319MB <ST380021A> [155061/16/63] at ata1-master UDMA33
acd0: CDRW <SONY CD-RW CRX140E> at ata1-slave PIO4
SMP: AP CPU #1 Launched!
Mounting root from ufs:/dev/ad0s1a
pid 524 (my_print_defaults), uid 88: exited on signal 11
pid 529 (my_print_defaults), uid 88: exited on signal 11
pid 544 (mysqld), uid 88: exited on signal 11
pid 700 (my_print_defaults), uid 1000: exited on signal 11 (core dumped)
diablo:~>=20

Dmesg output didn=B9t look particularly different in 5.3-stable. The coredump=
s
are due to the downgrade and being linked against newer libs from 5.3.


*** Kernel configuration:

diablo:/usr/src/sys/i386/conf> cat DIABLO
#
# GENERIC -- Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
#   =20
http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-conf=
i
g.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.413.2.8 2004/10/24 17:42:08 scott=
l
Exp $

machine         i386
#cpu            I486_CPU
cpu             I586_CPU
cpu             I686_CPU
ident           DIABLO

# To statically compile in device wiring instead of /boot/device.hints
#hints          "GENERIC.hints"         # Default places to look for
devices.

options         SCHED_4BSD              # 4BSD scheduler
options         INET                    # InterNETworking
#options        INET6                   # IPv6 communications protocols
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_ACL                 # Support for access control lists
options         UFS_DIRHASH             # Improve performance on big
directories
#options        MD_ROOT                 # MD is a potential root device
options         NFSCLIENT               # Network Filesystem Client
options         NFSSERVER               # Network Filesystem Server
#options        NFS_ROOT                # NFS usable as /, requires
NFSCLIENT
options         MSDOSFS                 # MSDOS Filesystem
options         CD9660                  # ISO 9660 Filesystem
options         PROCFS                  # Process filesystem (requires
PSEUDOFS)
options         PSEUDOFS                # Pseudo-filesystem framework
options         GEOM_GPT                # GUID Partition Tables.
options         COMPAT_43               # Compatible with BSD 4.3 [KEEP
THIS!]
options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
options         SCSI_DELAY=3D5000         # Delay (in ms) before probing SCSI
options         KTRACE                  # ktrace(1) support
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options         KBD_INSTALL_CDEV        # install a CDEV entry in /dev
options         AHC_REG_PRETTY_PRINT    # Print register bitfields in debug
                                        # output.  Adds ~128k to driver.
options         AHD_REG_PRETTY_PRINT    # Print register bitfields in debug
                                        # output.  Adds ~215k to driver.
#options        ADAPTIVE_GIANT          # Giant mutex is adaptive.


# Firewall
options         IPFIREWALL              # Firewall (ipfw)
options         IPFIREWALL_VERBOSE      # Verbose errors
#options        IPFIREWALL_FORWARD      # Transparent forwarding
options         IPDIVERT                # For NATD
#options        DUMMYNET                # Traffic Shaping!

# IPsec
#options        IPSEC
#options        IPSEC_ESP

# To make an SMP kernel, the next two are needed
options         SMP             # Symmetric MultiProcessor Kernel
device          apic            # I/O APIC

# Bus support.  Do not remove isa, even if you have no isa slots
device          isa
device          eisa
device          pci

# Floppy drives
device          fdc

# ATA and ATAPI devices
device          ata
device          atadisk         # ATA disk drives
#device         ataraid         # ATA RAID drives
device          atapicd         # ATAPI CDROM drives
#device         atapifd         # ATAPI floppy drives
#device         atapist         # ATAPI tape drives
options         ATA_STATIC_ID   # Static device numbering

# SCSI Controllers
#device         ahb             # EISA AHA1742 family
#device         ahc             # AHA2940 and onboard AIC7xxx devices
#device         ahd             # AHA39320/29320 and onboard AIC79xx device=
s
#device         amd             # AMD 53C974 (Tekram DC-390(T))
#device         isp             # Qlogic family
#device         mpt             # LSI-Logic MPT-Fusion
#device         ncr             # NCR/Symbios Logic
device          sym             # NCR/Symbios Logic (newer chipsets + those
of `ncr')
device          trm             # Tekram DC395U/UW/F DC315U adapters

#device         adv             # Advansys SCSI adapters
#device         adw             # Advansys wide SCSI adapters
#device         aha             # Adaptec 154x SCSI adapters
#device         aic             # Adaptec 15[012]x SCSI adapters,
AIC-6[23]60.
#device         bt              # Buslogic/Mylex MultiMaster SCSI adapters

#device         ncv             # NCR 53C500
#device         nsp             # Workbit Ninja SCSI-3
#device         stg             # TMC 18C30/18C50

# SCSI peripherals
device          scbus           # SCSI bus (required for SCSI)
#device         ch              # SCSI media changers
device          da              # Direct Access (disks)
#device         sa              # Sequential Access (tape etc)
#device         cd              # CD
#device         pass            # Passthrough device (direct SCSI access)
#device         ses             # SCSI Environmental Services (and SAF-TE)

# RAID controllers interfaced to the SCSI subsystem
#device         amr             # AMI MegaRAID
#device         asr             # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device         ciss            # Compaq Smart RAID 5*
#device         dpt             # DPT Smartcache III, IV - See NOTES for
options
#device         hptmv           # Highpoint RocketRAID 182x
#device         iir             # Intel Integrated RAID
#device         ips             # IBM (Adaptec) ServeRAID
#device         mly             # Mylex AcceleRAID/eXtremeRAID
#device         twa             # 3ware 9000 series PATA/SATA RAID

# RAID controllers
#device         aac             # Adaptec FSA RAID
#device         aacp            # SCSI passthrough for aac (requires CAM)
#device         ida             # Compaq Smart RAID
#device         mlx             # Mylex DAC960 family
#device         pst             # Promise Supertrak SX6000
#device         twe             # 3ware ATA RAID

# atkbdc0 controls both the keyboard and the PS/2 mouse
device          atkbdc          # AT keyboard controller
device          atkbd           # AT keyboard
device          psm             # PS/2 mouse

device          vga             # VGA video card driver

device          splash          # Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device          sc

# Enable this for the pcvt (VT220 compatible) console driver
#device         vt
#options        XSERVER         # support for X server on a vt console
#options        FAT_CURSOR      # start with block cursor

device          agp             # support several AGP chipsets

# Floating point support - do not disable.
device          npx

# Power management support (see NOTES for more options)
#device         apm
# Add suspend/resume support for the i8254.
device          pmtimer

# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device         cbb             # cardbus (yenta) bridge
#device         pccard          # PC Card (16-bit) bus
#device         cardbus         # CardBus (32-bit) bus

# Serial (COM) ports
device          sio             # 8250, 16[45]50 based serial ports

# Parallel port
#device         ppc
#device         ppbus           # Parallel port bus (required)
#device         lpt             # Printer
#device         plip            # TCP/IP over parallel
#device         ppi             # Parallel port interface device
#device         vpo             # Requires scbus and da

# If you've got a "dumb" serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to the sio and/or ppc drivers):
#device         puc

# PCI Ethernet NICs.
#device         de              # DEC/Intel DC21x4x (``Tulip'')
#device         em              # Intel PRO/1000 adapter Gigabit Ethernet
Card
#device         ixgb            # Intel PRO/10GbE Ethernet Card
#device         txp             # 3Com 3cR990 (``Typhoon'')
#device         vx              # 3Com 3c590, 3c595 (``Vortex'')

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs=
!
device          miibus          # MII bus support
#device         bfe             # Broadcom BCM440x 10/100 Ethernet
#device         bge             # Broadcom BCM570xx Gigabit Ethernet
#device         dc              # DEC/Intel 21143 and various workalikes
#device         fxp             # Intel EtherExpress PRO/100B (82557, 82558=
)
#device         lge             # Level 1 LXT1001 gigabit ethernet
#device         nge             # NatSemi DP83820 gigabit ethernet
#device         pcn             # AMD Am79C97x PCI 10/100 (precedence over
'lnc')
#device         re              # RealTek 8139C+/8169/8169S/8110S
device          rl              # RealTek 8129/8139
#device         sf              # Adaptec AIC-6915 (``Starfire'')
#device         sis             # Silicon Integrated Systems SiS 900/SiS
7016
#device         sk              # SysKonnect SK-984x & SK-982x gigabit
Ethernet
#device         ste             # Sundance ST201 (D-Link DFE-550TX)
#device         ti              # Alteon Networks Tigon I/II gigabit
Ethernet
#device         tl              # Texas Instruments ThunderLAN
#device         tx              # SMC EtherPower II (83c170 ``EPIC'')
#device         vge             # VIA VT612x gigabit ethernet
#device         vr              # VIA Rhine, Rhine II
#device         wb              # Winbond W89C840F
#device         xl              # 3Com 3c90x (``Boomerang'', ``Cyclone'')

# ISA Ethernet NICs.  pccard NICs included.
#device         cs              # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
#device         ed              # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device         ex              # Intel EtherExpress Pro/10 and Pro/10+
#device         ep              # Etherlink III based cards
#device         fe              # Fujitsu MB8696x based cards
#device         ie              # EtherExpress 8/16, 3C507, StarLAN 10 etc.
#device         lnc             # NE2100, NE32-VL Lance Ethernet cards
#device         sn              # SMC's 9000 series of Ethernet chips
#device         xe              # Xircom pccard Ethernet

# ISA devices that use the old ISA shims
#device         le

# Wireless NIC cards
#device         wlan            # 802.11 support
#device         an              # Aironet 4500/4800 802.11 wireless NICs.
#device         awi             # BayStack 660 and others
#device         wi              # WaveLAN/Intersil/Symbol 802.11 wireless
NICs.
#device         wl              # Older non 802.11 Wavelan wireless NIC.

# Pseudo devices.
device          loop            # Network loopback
#device         mem             # Memory and kernel memory devices
#device         io              # I/O device
device          random          # Entropy device
device          ether           # Ethernet support
#device         sl              # Kernel SLIP
#device         ppp             # Kernel PPP
device          tun             # Packet tunnel.
device          pty             # Pseudo-ttys (telnet etc)
device          md              # Memory "disks"
device          gif             # IPv6 and IPv4 tunneling
#device         faith           # IPv6-to-IPv4 relaying (translation)

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
device          bpf             # Berkeley packet filter

# USB support
device          uhci            # UHCI PCI->USB interface
device          ohci            # OHCI PCI->USB interface
device          usb             # USB Bus (required)
#device         udbp            # USB Double Bulk Pipe devices
device          ugen            # Generic
device          uhid            # "Human Interface Devices"
device          ukbd            # Keyboard
device          ulpt            # Printer
device          umass           # Disks/Mass storage - Requires scbus and d=
a
device          ums             # Mouse
#device         urio            # Diamond Rio 500 MP3 player
#device         uscanner        # Scanners
# USB Ethernet, requires mii
#device         aue             # ADMtek USB Ethernet
#device         axe             # ASIX Electronics USB Ethernet
#device         cue             # CATC USB Ethernet
#device         kue             # Kawasaki LSI USB Ethernet
#device         rue             # RealTek RTL8150 USB Ethernet

# FireWire support
#device         firewire        # FireWire bus code
#device         sbp             # SCSI over FireWire (Requires scbus and da=
)
#device         fwe             # Ethernet over FireWire (non-standard!)
diablo:/usr/src/sys/i386/conf>


I simply commented out the lines that failed in 5.2 since they were for 5.3
(ie, device io, device mem, and options ADAPTIVE_GIANT)


*** Interfaces:

rl0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3D8<VLAN_MTU>
        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
        ether 00:00:21:f2:a5:47
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3D8<VLAN_MTU>
        inet 144.136.223.204 netmask 0xfffffc00 broadcast 255.255.255.255
        ether 00:40:f4:90:1c:4b
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000


*** Firewall:

diablo:/home/diskiller# more /etc/firewall.diablo
########################################################################
### FIREWALL ###########################################################
########################################################################

# external if =3D rl1
# internal if =3D rl0
# internal net =3D 10.0.0.0/24

# EVIL SHIT
add deny log tcp from any to any 137,138,139 via rl1
add deny log udp from any to any 137,138,139 via rl1

# Allow your loop back to work
add allow all from any to any via lo0

# DHCP
add allow udp from any to any 67,68

# Prevent spoofing of your loopback
add deny log all from any to 127.0.0.0/8
add deny log all from 127.0.0.0/8 to any

# Stop spoofing of your internal network range
add deny log ip from 10.0.0.0/24 to any in via rl1

# Stop spoofing from inside your private ip range
add deny log ip from not 10.0.0.0/24 to any in via rl0

# Something from the bigpond network, and NEEDS to be here before below
# rules block it. Its a heartbeat, among other things? *confusing*
add allow ip from 10.64.28.1 to any in via rl1

# Stop private networks (RFC1918) from entering the outside interface.
add deny log ip from 192.168.0.0/16 to any in via rl1
add deny log ip from 172.16.0.0/12 to any in via rl1
add deny log ip from 10.0.0.0/8 to any in via rl1
add deny log ip from any to 192.168.0.0/16 in via rl1
add deny log ip from any to 172.16.0.0/12 in via rl1
add deny log ip from any to 10.0.0.0/8 in via rl1

# NATD
add divert natd all from any to any via rl1

# UDP
add allow udp from any to any

# Allow IPsec connections flow freely
#add allow esp from any to any

# Allow VPN data to flow free via rl2 (where my VPN to matt is over
wireless)
#add allow ipencap from any to any via rl2

# Allow existing tcp connections open from inside my lan to keep working
add allow tcp from any to any established

# Allow internal lan machines to open connections to the gw/Internet
add allow tcp from 10.0.0.0/24 to any setup # my lan
#add allow tcp from 10.0.2.0/24 to any setup # wireless lan (+ homer)
#add allow tcp from 10.0.4.0/24 to any setup # matt's lan

# Allow gw to open connections to the Internet (tcp/udp/etc)
add allow ip from 144.136.0.0/16 to any setup out via rl1

# Allow some ICMP's
add allow icmp from any to any icmptypes 3,4,11,12,8,0

# Diablo services - Incoming connections allowed
add allow tcp from any to any 21 in via rl1 setup
add allow tcp from any to any 22 in via rl1 setup
add allow tcp from any to any 25 in via rl1 setup
add allow tcp from any to any 53 in via rl1 setup
add allow tcp from any to any 80 in via rl1 setup
#add allow tcp from any to any 110 in via rl1 setup
#add allow tcp from any to any 143 in via rl1 setup
add allow tcp from any to any 993 in via rl1 setup
add allow tcp from any to any 995 in via rl1 setup
#add allow tcp from any to any 3389 in via rl1 setup # RD
#add allow tcp from any to any 6667 in via rl1 setup # IRC server
#add allow tcp from 144.136.0.0/16 to any 5901 in via rl1 setup # VNC on
diablo
#add allow tcp from 203.194.94.0/24 to any 5901 in via rl1 setup # VNC on
diablo
#add allow tcp from any to any 6881 # Bit Torrent
#add allow tcp from any to any 6882 # Bit Torrent
#add allow tcp from any to any 6883 # Bit Torrent
#add allow tcp from any to any 6884 # Bit Torrent
#add allow tcp from any to any 6112 # SC/BW

# UT2003/UT2004
add allow tcp from any to any 7777 in via rl1 setup
add allow tcp from any to any 7778 in via rl1 setup
add allow tcp from any to any 7787 in via rl1 setup
add allow tcp from any to any 7788 in via rl1 setup

# Politely and quickly rejects AUTH requests (IRC!! #*()@$@#$)
add reset tcp from any to any 113 in via rl1

# Make the default 'deny' rule log too.
add 65500 deny log ip from any to any
diablo:/home/diskiller#



I really hope someone can figure this one out...

Thanks,
Martin.

--
diskiller@diskiller.net | www.diskiller.net | irc.diskiller.net
=20
(No trees were destroyed in the sending of this message. However, a
large number of electrons were significantly inconvenienced.)



------ End of Forwarded Message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BE332F4F.18B93%diskiller>