5.3-Stable network issue
Dean Hamstead
dean at bong.com.au
Thu Feb 10 20:25:15 PST 2005
i cant offer a proper patch, but i can suggest dropping in a
different network card - as in other than realtek
which may solve your immediate problem. i certainly would
*never* use a realtek card where ever humanly possible.
intel and 3com are usually the goers. the 3c905b is possibly
one of the most renouned as a work horse. i have one in my
home fileserver and the performance difference verses its
onboard realtek is quite astounding. (1-2000k/s to 5-6000k/s)
ive also had great success with dlink and netgear cards.
the dlink the dfe530tc (rev a) which is via rhine based
and the netgear fa310tx which is uses the tulip driver
Dean
Martin Minkus wrote:
> I seem to have been having a rather strange networking issue in FreeBSD
> 5.3-Stable (it started happening immediately after 5.2.1 and has persisted
> since.. I keep ³hoping² that next time I cvsup it will be fixed, but no).
>
> I downgraded back to 5.2.1-p13 and it is perfectly fine once again.
>
>
> *** Some background information:
>
> My FreeBSD box is my home NAT router, server, firewall, etc. It does DHCP,
> MX for some of my domains, secondary DNS (I got primary elsewhere), apache
> for some webhosting, blah blah blah. Nothing really special. It is a Dual
> PIII-500, 512mb ram, and a couple ATA hdd¹s. Had 3 realtek network
> interfaces, but down to 2 now.
>
> *** The problem:
>
> Networking simply "stops" or "locks up". Why, I don't know. I believe
> initially it happened for all 3 network cards... I thought tcp/ip processing
> or something in the kernel got locked. It happens every 30 minutes to an
> hour, and lasts about 60 seconds to 120 seconds. Unfortunately, 60 seconds
> to 120 seconds is long enough to kill messenger (my gf does not like),
> online gaming, etc etc.
>
> Lately, I had taken one of the realtek cards out (it was for a several km
> long wireless link) and moved the server to my gf's place (where I am now
> 100% of the time). So now that I have the server locally and rely on it for
> my internet connection, this has become a real PAIN.
>
> I've noticed that I can remain ssh'd into diablo, do whatever I want while
> this "lock" issue occurs. So the lan interface rl0 is fine. The internet
> interface, rl1 (which goes to the cable modem) locks up. (btw, its not the
> cable modem as I am using my gf's now, and it did this at my place on my
> cable modem too, which is a different brand. Nortel at my place, motorola at
> my gfs).
>
> *** Attempts:
>
> I've attempted switching out network cards, and places 3 other realtek cards
> in. Different brands, all with different revisions (D instead of B, etc,
> etc).
>
> No matter what I try, nothing fixes it. The machine seems perfectly
> repsonsive, and I am still ssh'd in and can do whatever I want on it... But
> the network card going to the cable modem has stopped responding?!
>
> This never happened during 5.0-Current all throughout 5.2.1-STABLE, but
> anywhere beyond 5.2.1 it craps itself.
>
>
> *** Dmesg output:
>
> Copyright (c) 1992-2004 The FreeBSD Project.
> Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
> The Regents of the University of California. All rights reserved.
> FreeBSD 5.2.1-RELEASE-p13 #2: Thu Feb 10 18:39:33 CST 2005
> diskiller at diablo.diskiller.net:/junk/obj/junk/src/sys/DIABLO
> Preloaded elf kernel "/boot/kernel/kernel" at 0xc076c000.
> MPTable: <OEM00000 PROD00000000>
> Timecounter "i8254" frequency 1193182 Hz quality 0
> CPU: Pentium III/Pentium III Xeon/Celeron (504.72-MHz 686-class CPU)
> Origin = "GenuineIntel" Id = 0x673 Stepping = 3
>
> Features=0x387fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,
> CMOV,PAT,PSE36,PN,MMX,FXSR,SSE>
> real memory = 536870912 (512 MB)
> avail memory = 516034560 (492 MB)
> FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
> cpu0 (BSP): APIC ID: 0
> cpu1 (AP): APIC ID: 1
> ioapic0: Assuming intbase of 0
> ioapic0 <Version 1.1> irqs 0-23 on motherboard
> Pentium Pro MTRR support enabled
> npx0: [FAST]
> npx0: <math processor> on motherboard
> npx0: INT 16 interface
> pcibios: BIOS version 2.10
> Using $PIR table, 7 entries at 0xc00fdcf0
> pcib0: <Intel 82443BX (440 BX) host to PCI bridge> at pcibus 0 on
> motherboard
> pci0: <PCI bus> on pcib0
> pci_cfgintr: 0:10 INTA BIOS irq 10
> pci_cfgintr: 0:12 INTA BIOS irq 11
> agp0: <Intel 82443BX (440 BX) host to PCI bridge> mem 0xd0000000-0xd3ffffff
> at device 0.0 on pci0
> pcib1: <PCI-PCI bridge> at device 1.0 on pci0
> pci1: <PCI bus> on pcib1
> isab0: <PCI-ISA bridge> at device 7.0 on pci0
> isa0: <ISA bus> on isab0
> atapci0: <Intel PIIX4 UDMA33 controller> port 0xf000-0xf00f at device 7.1 on
> pci0
> ata0: at 0x1f0 irq 14 on atapci0
> ata0: [MPSAFE]
> ata1: at 0x170 irq 15 on atapci0
> ata1: [MPSAFE]
> uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xe000-0xe01f at
> device 7.2 on pci0
> pci_cfgintr: 0:7 INTD routed to irq 11
> usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0
> usb0: USB revision 1.0
> uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
> uhub0: 2 ports with 2 removable, self powered
> piix0: <PIIX Timecounter> port 0x5000-0x500f at device 7.3 on pci0
> Timecounter "PIIX" frequency 3579545 Hz quality 0
> pci0: <display, VGA> at device 8.0 (no driver attached)
> rl0: <RealTek 8139 10/100BaseTX> port 0xe400-0xe4ff mem
> 0xd7000000-0xd70000ff irq 10 at device 10.0 on pci0
> rl0: Ethernet address: 00:00:21:f2:a5:47
> miibus0: <MII bus> on rl0
> rlphy0: <RealTek internal media interface> on miibus0
> rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
> rl1: <RealTek 8139 10/100BaseTX> port 0xe800-0xe8ff mem
> 0xd7001000-0xd70010ff irq 11 at device 12.0 on pci0
> rl1: Ethernet address: 00:40:f4:90:1c:4b
> miibus1: <MII bus> on rl1
> rlphy1: <RealTek internal media interface> on miibus1
> rlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
> orm0: <Option ROMs> at iomem 0xc8000-0xcbfff,0xc0000-0xc7fff on isa0
> pmtimer0 on isa0
> atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0
> atkbd0: <AT Keyboard> irq 1 on atkbdc0
> kbd0 at atkbd0
> fdc0: ready for input in output
> fdc0: cmd 3 failed at out byte 1 of 3
> sc0: <System console> at flags 0x100 on isa0
> sc0: VGA <16 virtual consoles, flags=0x300>
> sio0: configured irq 4 not in bitmap of probed irqs 0
> sio0: port may not be enabled
> sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
> sio0: type 8250 or not responding
> sio1: configured irq 3 not in bitmap of probed irqs 0
> sio1: port may not be enabled
> vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
> unknown: <PNP0303> can't assign resources (port)
> unknown: <PNP0c02> can't assign resources (memory)
> unknown: <PNP0a03> can't assign resources (port)
> Timecounters tick every 10.000 msec
> ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to
> deny, logging unlimited
> GEOM: create disk ad0 dp=0xc4445260
> ad0: 19569MB <WDC WD205AA-00BAA0> [39761/16/63] at ata0-master UDMA33
> GEOM: create disk ad2 dp=0xc4445c60
> ad2: 76319MB <ST380021A> [155061/16/63] at ata1-master UDMA33
> acd0: CDRW <SONY CD-RW CRX140E> at ata1-slave PIO4
> SMP: AP CPU #1 Launched!
> Mounting root from ufs:/dev/ad0s1a
> pid 524 (my_print_defaults), uid 88: exited on signal 11
> pid 529 (my_print_defaults), uid 88: exited on signal 11
> pid 544 (mysqld), uid 88: exited on signal 11
> pid 700 (my_print_defaults), uid 1000: exited on signal 11 (core dumped)
> diablo:~>
>
> Dmesg output didn¹t look particularly different in 5.3-stable. The coredumps
> are due to the downgrade and being linked against newer libs from 5.3.
>
>
> *** Kernel configuration:
>
> diablo:/usr/src/sys/i386/conf> cat DIABLO
> #
> # GENERIC -- Generic kernel configuration file for FreeBSD/i386
> #
> # For more information on this file, please read the handbook section on
> # Kernel Configuration Files:
> #
> #
> http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-confi
> g.html
> #
> # The handbook is also available locally in /usr/share/doc/handbook
> # if you've installed the doc distribution, otherwise always see the
> # FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
> # latest information.
> #
> # An exhaustive list of options and more detailed explanations of the
> # device lines is also present in the ../../conf/NOTES and NOTES files.
> # If you are in doubt as to the purpose or necessity of a line, check first
> # in NOTES.
> #
> # $FreeBSD: src/sys/i386/conf/GENERIC,v 1.413.2.8 2004/10/24 17:42:08 scottl
> Exp $
>
> machine i386
> #cpu I486_CPU
> cpu I586_CPU
> cpu I686_CPU
> ident DIABLO
>
> # To statically compile in device wiring instead of /boot/device.hints
> #hints "GENERIC.hints" # Default places to look for
> devices.
>
> options SCHED_4BSD # 4BSD scheduler
> options INET # InterNETworking
> #options INET6 # IPv6 communications protocols
> options FFS # Berkeley Fast Filesystem
> options SOFTUPDATES # Enable FFS soft updates support
> options UFS_ACL # Support for access control lists
> options UFS_DIRHASH # Improve performance on big
> directories
> #options MD_ROOT # MD is a potential root device
> options NFSCLIENT # Network Filesystem Client
> options NFSSERVER # Network Filesystem Server
> #options NFS_ROOT # NFS usable as /, requires
> NFSCLIENT
> options MSDOSFS # MSDOS Filesystem
> options CD9660 # ISO 9660 Filesystem
> options PROCFS # Process filesystem (requires
> PSEUDOFS)
> options PSEUDOFS # Pseudo-filesystem framework
> options GEOM_GPT # GUID Partition Tables.
> options COMPAT_43 # Compatible with BSD 4.3 [KEEP
> THIS!]
> options COMPAT_FREEBSD4 # Compatible with FreeBSD4
> options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
> options KTRACE # ktrace(1) support
> options SYSVSHM # SYSV-style shared memory
> options SYSVMSG # SYSV-style message queues
> options SYSVSEM # SYSV-style semaphores
> options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
> extensions
> options KBD_INSTALL_CDEV # install a CDEV entry in /dev
> options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
> # output. Adds ~128k to driver.
> options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
> # output. Adds ~215k to driver.
> #options ADAPTIVE_GIANT # Giant mutex is adaptive.
>
>
> # Firewall
> options IPFIREWALL # Firewall (ipfw)
> options IPFIREWALL_VERBOSE # Verbose errors
> #options IPFIREWALL_FORWARD # Transparent forwarding
> options IPDIVERT # For NATD
> #options DUMMYNET # Traffic Shaping!
>
> # IPsec
> #options IPSEC
> #options IPSEC_ESP
>
> # To make an SMP kernel, the next two are needed
> options SMP # Symmetric MultiProcessor Kernel
> device apic # I/O APIC
>
> # Bus support. Do not remove isa, even if you have no isa slots
> device isa
> device eisa
> device pci
>
> # Floppy drives
> device fdc
>
> # ATA and ATAPI devices
> device ata
> device atadisk # ATA disk drives
> #device ataraid # ATA RAID drives
> device atapicd # ATAPI CDROM drives
> #device atapifd # ATAPI floppy drives
> #device atapist # ATAPI tape drives
> options ATA_STATIC_ID # Static device numbering
>
> # SCSI Controllers
> #device ahb # EISA AHA1742 family
> #device ahc # AHA2940 and onboard AIC7xxx devices
> #device ahd # AHA39320/29320 and onboard AIC79xx devices
> #device amd # AMD 53C974 (Tekram DC-390(T))
> #device isp # Qlogic family
> #device mpt # LSI-Logic MPT-Fusion
> #device ncr # NCR/Symbios Logic
> device sym # NCR/Symbios Logic (newer chipsets + those
> of `ncr')
> device trm # Tekram DC395U/UW/F DC315U adapters
>
> #device adv # Advansys SCSI adapters
> #device adw # Advansys wide SCSI adapters
> #device aha # Adaptec 154x SCSI adapters
> #device aic # Adaptec 15[012]x SCSI adapters,
> AIC-6[23]60.
> #device bt # Buslogic/Mylex MultiMaster SCSI adapters
>
> #device ncv # NCR 53C500
> #device nsp # Workbit Ninja SCSI-3
> #device stg # TMC 18C30/18C50
>
> # SCSI peripherals
> device scbus # SCSI bus (required for SCSI)
> #device ch # SCSI media changers
> device da # Direct Access (disks)
> #device sa # Sequential Access (tape etc)
> #device cd # CD
> #device pass # Passthrough device (direct SCSI access)
> #device ses # SCSI Environmental Services (and SAF-TE)
>
> # RAID controllers interfaced to the SCSI subsystem
> #device amr # AMI MegaRAID
> #device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
> #device ciss # Compaq Smart RAID 5*
> #device dpt # DPT Smartcache III, IV - See NOTES for
> options
> #device hptmv # Highpoint RocketRAID 182x
> #device iir # Intel Integrated RAID
> #device ips # IBM (Adaptec) ServeRAID
> #device mly # Mylex AcceleRAID/eXtremeRAID
> #device twa # 3ware 9000 series PATA/SATA RAID
>
> # RAID controllers
> #device aac # Adaptec FSA RAID
> #device aacp # SCSI passthrough for aac (requires CAM)
> #device ida # Compaq Smart RAID
> #device mlx # Mylex DAC960 family
> #device pst # Promise Supertrak SX6000
> #device twe # 3ware ATA RAID
>
> # atkbdc0 controls both the keyboard and the PS/2 mouse
> device atkbdc # AT keyboard controller
> device atkbd # AT keyboard
> device psm # PS/2 mouse
>
> device vga # VGA video card driver
>
> device splash # Splash screen and screen saver support
>
> # syscons is the default console driver, resembling an SCO console
> device sc
>
> # Enable this for the pcvt (VT220 compatible) console driver
> #device vt
> #options XSERVER # support for X server on a vt console
> #options FAT_CURSOR # start with block cursor
>
> device agp # support several AGP chipsets
>
> # Floating point support - do not disable.
> device npx
>
> # Power management support (see NOTES for more options)
> #device apm
> # Add suspend/resume support for the i8254.
> device pmtimer
>
> # PCCARD (PCMCIA) support
> # PCMCIA and cardbus bridge support
> #device cbb # cardbus (yenta) bridge
> #device pccard # PC Card (16-bit) bus
> #device cardbus # CardBus (32-bit) bus
>
> # Serial (COM) ports
> device sio # 8250, 16[45]50 based serial ports
>
> # Parallel port
> #device ppc
> #device ppbus # Parallel port bus (required)
> #device lpt # Printer
> #device plip # TCP/IP over parallel
> #device ppi # Parallel port interface device
> #device vpo # Requires scbus and da
>
> # If you've got a "dumb" serial or parallel PCI card that is
> # supported by the puc(4) glue driver, uncomment the following
> # line to enable it (connects to the sio and/or ppc drivers):
> #device puc
>
> # PCI Ethernet NICs.
> #device de # DEC/Intel DC21x4x (``Tulip'')
> #device em # Intel PRO/1000 adapter Gigabit Ethernet
> Card
> #device ixgb # Intel PRO/10GbE Ethernet Card
> #device txp # 3Com 3cR990 (``Typhoon'')
> #device vx # 3Com 3c590, 3c595 (``Vortex'')
>
> # PCI Ethernet NICs that use the common MII bus controller code.
> # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
> device miibus # MII bus support
> #device bfe # Broadcom BCM440x 10/100 Ethernet
> #device bge # Broadcom BCM570xx Gigabit Ethernet
> #device dc # DEC/Intel 21143 and various workalikes
> #device fxp # Intel EtherExpress PRO/100B (82557, 82558)
> #device lge # Level 1 LXT1001 gigabit ethernet
> #device nge # NatSemi DP83820 gigabit ethernet
> #device pcn # AMD Am79C97x PCI 10/100 (precedence over
> 'lnc')
> #device re # RealTek 8139C+/8169/8169S/8110S
> device rl # RealTek 8129/8139
> #device sf # Adaptec AIC-6915 (``Starfire'')
> #device sis # Silicon Integrated Systems SiS 900/SiS
> 7016
> #device sk # SysKonnect SK-984x & SK-982x gigabit
> Ethernet
> #device ste # Sundance ST201 (D-Link DFE-550TX)
> #device ti # Alteon Networks Tigon I/II gigabit
> Ethernet
> #device tl # Texas Instruments ThunderLAN
> #device tx # SMC EtherPower II (83c170 ``EPIC'')
> #device vge # VIA VT612x gigabit ethernet
> #device vr # VIA Rhine, Rhine II
> #device wb # Winbond W89C840F
> #device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
>
> # ISA Ethernet NICs. pccard NICs included.
> #device cs # Crystal Semiconductor CS89x0 NIC
> # 'device ed' requires 'device miibus'
> #device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
> #device ex # Intel EtherExpress Pro/10 and Pro/10+
> #device ep # Etherlink III based cards
> #device fe # Fujitsu MB8696x based cards
> #device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
> #device lnc # NE2100, NE32-VL Lance Ethernet cards
> #device sn # SMC's 9000 series of Ethernet chips
> #device xe # Xircom pccard Ethernet
>
> # ISA devices that use the old ISA shims
> #device le
>
> # Wireless NIC cards
> #device wlan # 802.11 support
> #device an # Aironet 4500/4800 802.11 wireless NICs.
> #device awi # BayStack 660 and others
> #device wi # WaveLAN/Intersil/Symbol 802.11 wireless
> NICs.
> #device wl # Older non 802.11 Wavelan wireless NIC.
>
> # Pseudo devices.
> device loop # Network loopback
> #device mem # Memory and kernel memory devices
> #device io # I/O device
> device random # Entropy device
> device ether # Ethernet support
> #device sl # Kernel SLIP
> #device ppp # Kernel PPP
> device tun # Packet tunnel.
> device pty # Pseudo-ttys (telnet etc)
> device md # Memory "disks"
> device gif # IPv6 and IPv4 tunneling
> #device faith # IPv6-to-IPv4 relaying (translation)
>
> # The `bpf' device enables the Berkeley Packet Filter.
> # Be aware of the administrative consequences of enabling this!
> device bpf # Berkeley packet filter
>
> # USB support
> device uhci # UHCI PCI->USB interface
> device ohci # OHCI PCI->USB interface
> device usb # USB Bus (required)
> #device udbp # USB Double Bulk Pipe devices
> device ugen # Generic
> device uhid # "Human Interface Devices"
> device ukbd # Keyboard
> device ulpt # Printer
> device umass # Disks/Mass storage - Requires scbus and da
> device ums # Mouse
> #device urio # Diamond Rio 500 MP3 player
> #device uscanner # Scanners
> # USB Ethernet, requires mii
> #device aue # ADMtek USB Ethernet
> #device axe # ASIX Electronics USB Ethernet
> #device cue # CATC USB Ethernet
> #device kue # Kawasaki LSI USB Ethernet
> #device rue # RealTek RTL8150 USB Ethernet
>
> # FireWire support
> #device firewire # FireWire bus code
> #device sbp # SCSI over FireWire (Requires scbus and da)
> #device fwe # Ethernet over FireWire (non-standard!)
> diablo:/usr/src/sys/i386/conf>
>
>
> I simply commented out the lines that failed in 5.2 since they were for 5.3
> (ie, device io, device mem, and options ADAPTIVE_GIANT)
>
>
> *** Interfaces:
>
> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=8<VLAN_MTU>
> inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
> ether 00:00:21:f2:a5:47
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=8<VLAN_MTU>
> inet 144.136.223.204 netmask 0xfffffc00 broadcast 255.255.255.255
> ether 00:40:f4:90:1c:4b
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet 127.0.0.1 netmask 0xff000000
>
>
> *** Firewall:
>
> diablo:/home/diskiller# more /etc/firewall.diablo
> ########################################################################
> ### FIREWALL ###########################################################
> ########################################################################
>
> # external if = rl1
> # internal if = rl0
> # internal net = 10.0.0.0/24
>
> # EVIL SHIT
> add deny log tcp from any to any 137,138,139 via rl1
> add deny log udp from any to any 137,138,139 via rl1
>
> # Allow your loop back to work
> add allow all from any to any via lo0
>
> # DHCP
> add allow udp from any to any 67,68
>
> # Prevent spoofing of your loopback
> add deny log all from any to 127.0.0.0/8
> add deny log all from 127.0.0.0/8 to any
>
> # Stop spoofing of your internal network range
> add deny log ip from 10.0.0.0/24 to any in via rl1
>
> # Stop spoofing from inside your private ip range
> add deny log ip from not 10.0.0.0/24 to any in via rl0
>
> # Something from the bigpond network, and NEEDS to be here before below
> # rules block it. Its a heartbeat, among other things? *confusing*
> add allow ip from 10.64.28.1 to any in via rl1
>
> # Stop private networks (RFC1918) from entering the outside interface.
> add deny log ip from 192.168.0.0/16 to any in via rl1
> add deny log ip from 172.16.0.0/12 to any in via rl1
> add deny log ip from 10.0.0.0/8 to any in via rl1
> add deny log ip from any to 192.168.0.0/16 in via rl1
> add deny log ip from any to 172.16.0.0/12 in via rl1
> add deny log ip from any to 10.0.0.0/8 in via rl1
>
> # NATD
> add divert natd all from any to any via rl1
>
> # UDP
> add allow udp from any to any
>
> # Allow IPsec connections flow freely
> #add allow esp from any to any
>
> # Allow VPN data to flow free via rl2 (where my VPN to matt is over
> wireless)
> #add allow ipencap from any to any via rl2
>
> # Allow existing tcp connections open from inside my lan to keep working
> add allow tcp from any to any established
>
> # Allow internal lan machines to open connections to the gw/Internet
> add allow tcp from 10.0.0.0/24 to any setup # my lan
> #add allow tcp from 10.0.2.0/24 to any setup # wireless lan (+ homer)
> #add allow tcp from 10.0.4.0/24 to any setup # matt's lan
>
> # Allow gw to open connections to the Internet (tcp/udp/etc)
> add allow ip from 144.136.0.0/16 to any setup out via rl1
>
> # Allow some ICMP's
> add allow icmp from any to any icmptypes 3,4,11,12,8,0
>
> # Diablo services - Incoming connections allowed
> add allow tcp from any to any 21 in via rl1 setup
> add allow tcp from any to any 22 in via rl1 setup
> add allow tcp from any to any 25 in via rl1 setup
> add allow tcp from any to any 53 in via rl1 setup
> add allow tcp from any to any 80 in via rl1 setup
> #add allow tcp from any to any 110 in via rl1 setup
> #add allow tcp from any to any 143 in via rl1 setup
> add allow tcp from any to any 993 in via rl1 setup
> add allow tcp from any to any 995 in via rl1 setup
> #add allow tcp from any to any 3389 in via rl1 setup # RD
> #add allow tcp from any to any 6667 in via rl1 setup # IRC server
> #add allow tcp from 144.136.0.0/16 to any 5901 in via rl1 setup # VNC on
> diablo
> #add allow tcp from 203.194.94.0/24 to any 5901 in via rl1 setup # VNC on
> diablo
> #add allow tcp from any to any 6881 # Bit Torrent
> #add allow tcp from any to any 6882 # Bit Torrent
> #add allow tcp from any to any 6883 # Bit Torrent
> #add allow tcp from any to any 6884 # Bit Torrent
> #add allow tcp from any to any 6112 # SC/BW
>
> # UT2003/UT2004
> add allow tcp from any to any 7777 in via rl1 setup
> add allow tcp from any to any 7778 in via rl1 setup
> add allow tcp from any to any 7787 in via rl1 setup
> add allow tcp from any to any 7788 in via rl1 setup
>
> # Politely and quickly rejects AUTH requests (IRC!! #*()@$@#$)
> add reset tcp from any to any 113 in via rl1
>
> # Make the default 'deny' rule log too.
> add 65500 deny log ip from any to any
> diablo:/home/diskiller#
>
>
>
> I really hope someone can figure this one out...
>
> Thanks,
> Martin.
>
> --
> diskiller at diskiller.net | www.diskiller.net | irc.diskiller.net
>
> (No trees were destroyed in the sending of this message. However, a
> large number of electrons were significantly inconvenienced.)
>
>
>
>
> _______________________________________________
> freebsd-hardware at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hardware
> To unsubscribe, send any mail to "freebsd-hardware-unsubscribe at freebsd.org"
>
More information about the freebsd-hardware
mailing list