Problems with IPFW causing failed DNS and FTP sessions

Michael Powell nightrecon at
Mon Apr 1 04:39:47 UTC 2013

Don O'Neil wrote:

> Hi everyone. recently my server started having issues with DNS and FTP
> sessions either not resolving or timing out. I've tracked the issue down
> to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go
> away.

I'm probably not smart enough to be able to help directly with your problem 
but I'd like to add that there is a snowballing DNS Amplification ddos 
attack against SpamHaus going on which is spilling over. I was looking at 
some weird stuff my Suricata was reporting today when I noticed a large 
majority of it was coming from CloudFlare CDN. They use anycast packet 
traffic to deflect and diffuse such attacks for their customers. 

I'm wondering if your box has just been sitting there doing it's thing and 
you've made zero changes to it so it is essentially 'steady state' and this 
problem just sort of came up seemingly out of nowhere. Consider a 
possibility that the cause may be external and what you're seeing is just 
IPFW's reaction to it.

A friend of mine is on a nearby Verizon subnet and he uses their DNS 
servers. He noticed minimal hiccup while I have my DNS pointed at OpenDNS 
and it took them almost a day to get their situation under control. Once 
they did traffic seemed to return to normal, then I noticed Suricata alerting 
on return traffic in my pf DNS firewall rule. All the traffic Suricata was 
complaining about was coming from the CloudFlare CDN. I've never seen this 
before, so I'm not completely certain what to make of it. My hypothesis is 
OpenDNS subscribed to CloudFlare's "protection", and since it is legit 
return traffic from my DNS server's lookups the firewall never touched it. I 
would never have noticed if it wasn't for Suricata. 

I just don't know enough about it all, just that I was having some flaky DNS 
stalling and hanging and when it seemed like it returned to normal I began 
to see this weird stuff from CloudFlare CDN on my DNS traffic. Just would like 
to point out it may be possible your problem is somehow just a reflection of 
some noise going on outside your box. As for exactly what you might do about 
it is for smarter people than me.    


More information about the freebsd-questions mailing list