Random "Network is unreachable" on 6.2-RELEASE

Peter Jeremy peterjeremy at optushome.com.au
Sat Feb 10 21:36:06 UTC 2007 

I've recently upgraded my firewall from 5.4 to 6.2-RELEASE and am now
getting random "Network is unreachable" messages on connections to the
firewall from my internal network.  Some checking suggests it also
affects connections from and  through my firewall as well.

I have had about 6 attempts at copying a 600MB data file to the
firewall and they generally drop out after 100-200MB - though not at
the same place.  It looks very much like pattern sensitivity.

The firewall rules have not changed and look as below.  fxp0 is
internet and fxp1 is internal.

Has anyone else seen anything like this?

fwall# ifconfig -a
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet xxx.xxx.xxx.xxx netmask 0xffffff00 broadcast xxx.xxx.xxx.255
        ether 00:d0:b7:91:d7:e4
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 10.11.12.1 netmask 0xffffff00 broadcast 10.11.12.255
        ether 00:d0:b7:b2:51:15
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000 
fwall# ipfw list
00010 allow ip from any to any
65535 deny ip from any to any
fwall# ipfstat -io
block out all
pass out quick on lo0 all
block out quick on fxp1 all head 20
pass out quick on fxp1 proto udp from 10.11.12.1/32 to 10.11.12.0/24 port = ntp group 20
pass out quick on fxp1 proto tcp from 10.11.12.1/32 to 10.11.12.0/24 port = ssh flags S/FSRPAU keep state group 20
pass out quick on fxp1 proto tcp from 10.11.12.1/32 to 10.11.12.0/24 port = smtp flags S/FSRPAU keep state group 20
block out log quick all group 20
block out quick on fxp0 all head 21
...
block out log quick all group 21
block out log all
block in all
pass in quick on lo0 all
block in quick on fxp1 all head 10
pass in quick on fxp1 proto tcp from any to any flags S/FSRPAU keep state keep frags group 10
pass in quick on fxp1 proto udp from any to any keep state keep frags group 10
pass in quick on fxp1 proto icmp from any to any keep state keep frags group 10
block in log quick all group 10
block in quick on fxp0 all head 11
...
block in log quick all group 11
block in log all
fwall# 

-- 
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20070210/bcac77c8/attachment.pgp

More information about the freebsd-stable mailing list