Trouble with ipfw :( help!

Dmitry Zadvornykh foot at binbank.ru
Wed Aug 25 05:27:45 PDT 2004 

  Sorry for my lame question!
  I have configured ipfw on my mail server... But i have trouble with
  understanding what is work wrong... Why FreeBSD stop all traffic?
  ok? let's go!

#uname -a
FreeBSD ns2.jamaika.ru 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #2: Mon Jul 26 17:23:28 MSD 2004     root at ns2.jamaika.ru:/usr/src/sys/i386/compile/NS2  i386

(ex0 - unplugged from network)
#ifconfig ex1
ex1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet xxx.xxx.xx.xxx netmask 0xffffff00 broadcast
        xxx.xxx.xx.xxx
        inet6 fe80::2aa:ff:fe5d:fd06%ex1 prefixlen 64 scopeid 0x2
        ether 00:aa:00:5d:fd:06
        media: Ethernet 10baseT/UTP
        status: active
  
#ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 allow icmp from any to any
00500 allow tcp from any to any established
00600 allow ip from any to any frag
00700 allow ip from me to any setup
00800 allow tcp from any to me dst-port 25,110,995,143,993 setup
00900 allow tcp from any to me dst-port 500,600 setup
01000 allow tcp from any to me dst-port 22,32222 setup
01100 allow udp from me to any dst-port 53 keep-state
09999 allow log ip from any to any
65500 deny log ip from any to any
65535 deny ip from any to any

  (look at 9999 - it's temporary line, just for test)

  1st: all work perfect!
/var/log/security:
Aug 25 14:42:26 ns2 kernel: ipfw: 9999 Accept MAC in via ex1
Aug 25 14:42:54 ns2 last message repeated 16 times
Aug 25 14:44:54 ns2 last message repeated 70 times
Aug 25 14:54:55 ns2 last message repeated 351 times
Aug 25 15:04:55 ns2 last message repeated 345 times
Aug 25 15:14:55 ns2 last message repeated 351 times
Aug 25 15:21:39 ns2 last message repeated 234 times


  2nd: now i delete 9999 rule!! Still working very well!

#ipfw delete 9999

/var/log/security:
Aug 25 15:21:41 ns2 kernel: ipfw: 65500 Deny MAC in via ex1
Aug 25 15:22:13 ns2 last message repeated 18 times
Aug 25 15:24:15 ns2 last message repeated 76 times
Aug 25 15:34:17 ns2 last message repeated 346 times
Aug 25 15:41:25 ns2 last message repeated 253 times
Aug 25 15:41:27 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:27 ns2 kernel: ipfw: 65500 Deny MAC in via ex1
Aug 25 15:41:27 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:28 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:29 ns2 kernel: ipfw: 65500 Deny MAC in via ex1

  And NOW all network traffic freezed (no ping, no ssh, nothing)
  20 min past from i deny this incoming MAC packet till BSD start to
  send MAC packet... and all traffic freezed...
  
Aug 25 15:41:29 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:30 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:30 ns2 kernel: ipfw: 65500 Deny MAC in via ex1
Aug 25 15:41:31 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:31 ns2 kernel: ipfw: 65500 Deny MAC in via ex1
Aug 25 15:41:32 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:33 ns2 kernel: ipfw: 65500 Deny MAC out via ex1
Aug 25 15:41:33 ns2 kernel: ipfw: 65500 Deny MAC in via ex1

tcpdump log:
15:41:23.728169 802.1d config 8000.00:04:dd:05:af:44.8026 root 8000.00:01:96:cb:ae:44 pathcost 8 age 2 max 20 hello 2 fdelay 15
15:41:25.728788 802.1d config 8000.00:04:dd:05:af:44.8026 root 8000.00:01:96:cb:ae:44 pathcost 8 age 2 max 20 hello 2 fdelay 15
15:41:27.730761 802.1d config 8000.00:04:dd:05:af:44.8026 root 8000.00:01:96:cb:ae:44 pathcost 8 age 2 max 20 hello 2 fdelay 15
15:41:29.729825 802.1d config 8000.00:04:dd:05:af:44.8026 root 8000.00:01:96:cb:ae:44 pathcost 8 age 2 max 20 hello 2 fdelay 15


  3rd: i put 9999 rule back! and all start work fine...
Aug 25 15:45:39 ns2 kernel: ipfw: 9999 Accept MAC in via ex1
Aug 25 15:46:11 ns2 last message repeated 18 times

  what to do?



-- 
Dmitry Zadvornykh
BIN-Bank
http://www.binbank.ru

More information about the freebsd-questions mailing list