ipfw lost its mind?
Paul Schmehl
pauls at utdallas.edu
Thu Mar 3 10:37:56 PST 2005
I maintain a small hobby website running on FreeBSD 4.9 SECURITY. I'm
paranoid about security and religious about updates (kernel and ports).
Recently, the server began to exhibit odd behavior that looked for all the
world like name resolution issues.
I had recently updated bind to 9.0.3_1, so I assumed that was the likely
culprit and I began to troubleshoot. Bind was acting flaky, so I
deinstalled it and install 8.4 instead. It still complained about the
socket file (which is what 9.0.3_1 did) so I decided to dump bind and
installed djbdns instead. (Best thing I ever did. Response is much
better.)
However, the sluggishness problem continued. Last night I drove back over
to the server and, after checking some things, I discovered some very
strange behavior from ipfw.
Even though my script has been working fine for over three years, I found
that when I added a rule to allow all (ipfw add 00001 allow ip from any to
any) the server immediately began to process traffic normally.
Keep in mind, before I made this change, you could still access the
website. It was just slower than molasses. Ssh and mail sessions timed
out and were unusable.
So, I removed rule 00001 and created a new one like this:
ipfw add 00050 allow ip from {my workstation at work) to any.
I then ssh'd to my workstation and attempted to ssh back to the server. No
go. Yet ipfw show shows an increased packet count on the counter for that
rule. So, it's seeing the packets, but they're being delayed somehow.
Why the allow ip from any to any works, but allow ip from my workstation to
any doesn't is a complete mystery to me.
To make a long story short, I disabled the firewall and everything is
running normally.
My question is, has anyone else seen recent strange behavior from ipfw? Or
has anyone seen this *kind* of behavior from ipfw and knows what the cause
is?
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
More information about the freebsd-questions
mailing list