IPFW problems
freebsd at newmillennium.net.au
freebsd at newmillennium.net.au
Wed Jan 19 00:25:43 PST 2005
I have recently (the last week or so, but possible longer as I had
updated the system prior to going on a 3 week holiday) been having some
problems with IPFW under -CURRENT.
I am running:
bash-2.05b$ uname -a
FreeBSD picard.newmillennium.net.au 6.0-CURRENT FreeBSD 6.0-CURRENT #38:
Sun Jan 16 18:27:30 EST 2005
root at picard.newmillennium.net.au:/usr/obj/usr/src/sys/PICARD i386
What happens is that I occasionally (every 5 minutes or so) get the
following:
Jan 19 16:54:41 picard kernel: ipfw: ouch!, skip past end of rules,
denying packet
And then a (random) TCP connection is dropped. What is interesting is
that every possible path through the firewall matches a rule. I can
provide a copy of the firewall rules on request.
My firewall uses the following features, in addition to the standard
allow/deny rules:
Dummynet
Stateful rules (check-state, keep-state)
Skipto's
Forwarding (fwd)
Some more stuff from the system, in case it helps:
bash-2.05b$ sysctl -a | grep ip\.fw
net.inet.ip.fw.enable: 1
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.one_pass: 0
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 1
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 343
net.inet.ip.fw.dyn_max: 4096
net.inet.ip.fw.static_count: 184
net.inet.ip.fw.dyn_ack_lifetime: 1800
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_keepalive: 1
My kernel options regarding the firewall are:
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_FORWARD
options DUMMYNET
options HZ=1000
--
Alastair D'Silva mob: 0413 485 733
Networking Consultant fax: 0413 181 661
New Millennium Networking web: http://www.newmillennium.net.au
More information about the freebsd-current
mailing list