System (Firewall - IP filter) freezes sometimes

Lars Wittebrood lars at socruel.nu
Thu Nov 9 19:37:05 UTC 2006 

Hello lists,

I have a 6.1-RELEASE-p10 system running IP Filter which comes with 6.1
acting as a firewall for my small home network. This system freezes when
handling a lot of data, ie. With an upload of a 60Meg file to the
firewall through SFTP from OpenSSH or when accessing large webpages.
With freezes I mean doesn't accept any new connections, doesn't respond
on the keyboard. After 3 or 4 minutes the system 'lives' again. Nothing
valueable is logged in the meantime. The NICs used are Intel Gbit
Desktop adapter and the system is using the 'em' driver for this. I am
running IP Filter as a module.

The freeze doesn't happen when the IP Filter kernel module is unloaded!

me at firewall me $ uname -a
FreeBSD firewall.domain.nu 6.1-RELEASE-p10 FreeBSD 6.1-RELEASE-p10 #0:
Thu Nov  2 16:00:30 CET 2006
root at firewall.domain.nu:/usr/obj/usr/src/sys/FIREWALL  i386

me at firewall me $ ipf -V
ipf: IP Filter: v4.1.8 (416)

The sysctl.conf file of the system.
# $FreeBSD: src/etc/sysctl.conf,v 1.8 2003/03/13 18:43:50 mux Exp $
#
#  This file is read when going to multi-user and its contents piped
thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for
details.
#
#-----------------------------------------------------------------------
-
#       Disable kernel coredumps
#-----------------------------------------------------------------------
-
kern.coredump=0
#-----------------------------------------------------------------------
-
#       Some hardening options
#-----------------------------------------------------------------------
-
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
#-----------------------------------------------------------------------
-
#       Some networking options
#-----------------------------------------------------------------------
-
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.random_id=1
#-----------------------------------------------------------------------
-
# TCP/IP stack hardening
#-----------------------------------------------------------------------
-
# Decrease the ARP cache cleanup interval
net.link.ether.inet.max_age=1200
# Disable ICMP broadcast echo activity
net.inet.icmp.bmcastecho=0
# Disable ICMP routing redirects
net.inet.ip.redirect=0
# Disable ICMP broadcast probes
net.inet.icmp.maskrepl=0
# Disable IP source routing
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
# Increase resiliance under heavy TCP load
kern.ipc.somaxconn=1024
# Set TCP send and receive window sizes
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=32768

Anyone any idea what this is about?


Regards,
Lars Wittebrood.

More information about the freebsd-questions mailing list