IPFW problems
Robert Watson
rwatson at freebsd.org
Wed Jan 19 02:34:12 PST 2005
On Wed, 19 Jan 2005 freebsd at newmillennium.net.au wrote:
> I have recently (the last week or so, but possible longer as I had
> updated the system prior to going on a 3 week holiday) been having some
> problems with IPFW under -CURRENT.
>
> I am running:
> bash-2.05b$ uname -a
> FreeBSD picard.newmillennium.net.au 6.0-CURRENT FreeBSD 6.0-CURRENT #38:
> Sun Jan 16 18:27:30 EST 2005
> root at picard.newmillennium.net.au:/usr/obj/usr/src/sys/PICARD i386
>
> What happens is that I occasionally (every 5 minutes or so) get the
> following: Jan 19 16:54:41 picard kernel: ipfw: ouch!, skip past end of
> rules, denying packet
This error message seems to occur when the end of the rule chain is
reached without hitting a packet. The one scenario I can think of where
this might happen is if the rule set somehow skips past the end of the
chain. Could you confirm two things:
- That your ipfw rule set contains no skiptos that push past the last
rule?
- That your user space ipfw(8) binary is in sync with your kernel?
If there's no obvious source of a potential issue of that sort, it may be
we're looking at an ipfw bug. The error message should be cleaned
up/clarified even if you're seeing the results of a bug, since it's
a bit unclear on what actually happened.
Robert N M Watson
>
> And then a (random) TCP connection is dropped. What is interesting is
> that every possible path through the firewall matches a rule. I can
> provide a copy of the firewall rules on request.
>
> My firewall uses the following features, in addition to the standard
> allow/deny rules:
>
> Dummynet
> Stateful rules (check-state, keep-state)
> Skipto's
> Forwarding (fwd)
>
> Some more stuff from the system, in case it helps:
> bash-2.05b$ sysctl -a | grep ip\.fw
> net.inet.ip.fw.enable: 1
> net.inet.ip.fw.autoinc_step: 100
> net.inet.ip.fw.one_pass: 0
> net.inet.ip.fw.debug: 1
> net.inet.ip.fw.verbose: 1
> net.inet.ip.fw.verbose_limit: 0
> net.inet.ip.fw.dyn_buckets: 256
> net.inet.ip.fw.curr_dyn_buckets: 256
> net.inet.ip.fw.dyn_count: 343
> net.inet.ip.fw.dyn_max: 4096
> net.inet.ip.fw.static_count: 184
> net.inet.ip.fw.dyn_ack_lifetime: 1800
> net.inet.ip.fw.dyn_syn_lifetime: 20
> net.inet.ip.fw.dyn_fin_lifetime: 1
> net.inet.ip.fw.dyn_rst_lifetime: 1
> net.inet.ip.fw.dyn_udp_lifetime: 10
> net.inet.ip.fw.dyn_short_lifetime: 5
> net.inet.ip.fw.dyn_keepalive: 1
>
> My kernel options regarding the firewall are:
> options IPFIREWALL
> options IPDIVERT
> options IPFIREWALL_FORWARD
> options DUMMYNET
> options HZ=1000
>
> --
> Alastair D'Silva mob: 0413 485 733
> Networking Consultant fax: 0413 181 661
> New Millennium Networking web: http://www.newmillennium.net.au
>
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
>
More information about the freebsd-current
mailing list