Problems with IPFW causing failed DNS and FTP sessions

Don O'Neil lists at lizardhill.com
Mon Apr 1 03:36:55 UTC 2013


Hi everyone. recently my server started having issues with DNS and FTP
sessions either not resolving or timing out. I've tracked the issue down to
IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away.

 

I have the basic rules like this for dns;

 

01160 allow udp from any to any dst-port 53 in keep-state

01161 allow tcp from any to any dst-port 53 in keep-state

01162 allow udp from any to any dst-port 53 out keep-state

01163 allow tcp from any to any dst-port 53 out keep-state

 

When I try an nslookup sometimes they fail, sometimes they get through, even
if I change my DNS server to google, my ISP, or even OpenDNS. the firewall
seems to be causing the issue.

 

I have about 65 rules in all.

 

Any ideas what could be causing this? My server load is low, usually
hovering around .2 

 

How can I look at the actual amount of traffic that the IPFW module is
processing and track down potential performance issues? My server isn't
pushing much data, only around 4-5 Mbps sustained.

 

Thanks!

 

 



More information about the freebsd-questions mailing list