network problems 7.0-p3: sendto: Operation not permitted

[Jeremy Chadwick]

Let's see if I can figure out the multitude of things you've posted
about, since a bunch are unrelated and you appear to be flailing around
with your arms in the air.  :-)

On Thu, Jul 24, 2008 at 01:59:23AM -0400, Robert Jameson wrote:
> (12:46 AM):(root at cube)/$ ping google.com
> PING google.com (72.14.207.99): 56 data bytes
> ping: sendto: Operation not permitted

This usually indicates firewall rules on the local machine, although I
believe there are some other operations where EPERM can be returned.

> This appears to be an issue with the network.

Can you provide uname -a output?  There was a "cable modem compatibility
fix" applied to FreeBSD a while ago (a user informed me of such),
although I do not know if it applies to you, as I do not know the
original symptoms.  I believe that fix was also just for TCP.

> I have attached my rc.conf and sysctl.conf and pf.conf please let me know if
> any other information is required.

> Errors from /var/log/console.log:
> 
> Jul 18 21:10:02 cube kernel: Jul 18 21:10:02 cube named[908]: socket: too
> many open file descriptors
> Jul 19 00:30:13 cube kernel: Jul 19 00:30:13 cube named[9748]: socket: too
> many open file descriptors
> Jul 19 00:30:54 cube kernel: Jul 19 00:30:14 cube last message repeated 28
> times

This indicates a completely different/unrelated problem.

> Jul 20 22:15:39 cube kernel: Limiting open port RST response from 318 to 200
> packets/sec

This indicates a high number of ICMP packets being received.  Keep in
mind this can also be seen due to TCP connections which are being reset
and other such things -- ICMP is at a higher layer than TCP.

I don't think there's necessarily anything "wrong" with that number (you
show up to 740), but it would be worthwhile investigating what's
soliciting that amount of ICMP traffic.  Are you seeing this 24x7x365?

> /etc/sysctl.conf
> net.inet.icmp.icmplim=2000
> 
> I know it seems abit high, but i kept adjusting until the error went away.
> (not really fixing the problem?)

It's not a big high; FreeBSD's 200 default is too low for any production
server, if you ask me.  Setting it to 2000 is probably fine.

> If your mail client or the mailing list prevents you from seeing the
> attached
> You can view them here:
>  http://rj.dawnshosting.com/fbsd_ml/

You should discuss your firewalling rules on freebsd-pf, and not here.
I believe you may have some mistakes which are inducing said problem.

> PS: While running tcpdump I see this
> 
> tcpdump -i fxp0
> 
> Neither one of these ip's exist on my system is my cable company doing
> something wrong?
> 
> 
> 01:47:12.135929 arp who-has 64.253.3.161.dyn-cm-pool73.pool.hargray.net tell
> 64.253.3.1.dyn-cm-pool73.pool.hargray.net
> 01:47:12.155931 arp who-has 216.16.218.141.dyn-cm-pool46.pool.hargray.nettell
> 216.16.218.1.dyn-cm-pool46.pool.hargray.net
> 01:47:12.196000 arp who-has 181.131.216.67.181.static.hargray.net tell
> 1.131.216.67.1.static.hargray.net

Nope.  This is normal behaviour for a cable modem network; they
constantly spam layer 2 ARP for *everyone* on the entire cable network
segment.  Yes, you read that right.

> Is this an attack?
> 
> 01:55:41.231722 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP
> echo request, id 22055, seq 37084, length 64
> 01:55:42.232794 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP
> echo request, id 22055, seq 37085, length 64

At this rate (1 ICMP packet a second), absolutely not.  You also don't
mention which FQDN/IP is yours; I assume "cube.dawnshosting.com", based
on your local hostname in the above.  Your machine is sending out an
ICMP ping packet to purple.haze.bluntroll.in every 1 second.  If you
don't know why, you need to investigate why.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |