5.3-Stable network issue
Emanuel Strobl
emanuel.strobl at gmx.net
Thu Feb 10 03:53:51 PST 2005
Am Donnerstag, 10. Februar 2005 11:00 schrieb Martin Minkus:
> I seem to have been having a rather strange networking issue in FreeBSD
> 5.3-Stable (it started happening immediately after 5.2.1 and has persisted
> since.. I keep ³hoping² that next time I cvsup it will be fixed, but no).
>
> I downgraded back to 5.2.1-p13 and it is perfectly fine once again.
>
>
> *** Some background information:
>
> My FreeBSD box is my home NAT router, server, firewall, etc. It does DHCP,
> MX for some of my domains, secondary DNS (I got primary elsewhere), apache
> for some webhosting, blah blah blah. Nothing really special. It is a Dual
> PIII-500, 512mb ram, and a couple ATA hdd¹s. Had 3 realtek network
> interfaces, but down to 2 now.
>
> *** The problem:
>
> Networking simply "stops" or "locks up". Why, I don't know. I believe
> initially it happened for all 3 network cards... I thought tcp/ip
> processing or something in the kernel got locked. It happens every 30
> minutes to an hour, and lasts about 60 seconds to 120 seconds.
> Unfortunately, 60 seconds to 120 seconds is long enough to kill messenger
> (my gf does not like), online gaming, etc etc.
Just a wils guess: Try setteing 'debug.mpsafet=0' in /boot/loader.conf
I had similar problems with pf and RELENG_5
No soultion though :(
-Harry
>
> Lately, I had taken one of the realtek cards out (it was for a several km
> long wireless link) and moved the server to my gf's place (where I am now
> 100% of the time). So now that I have the server locally and rely on it for
> my internet connection, this has become a real PAIN.
>
> I've noticed that I can remain ssh'd into diablo, do whatever I want while
> this "lock" issue occurs. So the lan interface rl0 is fine. The internet
> interface, rl1 (which goes to the cable modem) locks up. (btw, its not the
> cable modem as I am using my gf's now, and it did this at my place on my
> cable modem too, which is a different brand. Nortel at my place, motorola
> at my gfs).
>
> *** Attempts:
>
> I've attempted switching out network cards, and places 3 other realtek
> cards in. Different brands, all with different revisions (D instead of B,
> etc, etc).
>
> No matter what I try, nothing fixes it. The machine seems perfectly
> repsonsive, and I am still ssh'd in and can do whatever I want on it... But
> the network card going to the cable modem has stopped responding?!
>
> This never happened during 5.0-Current all throughout 5.2.1-STABLE, but
> anywhere beyond 5.2.1 it craps itself.
>
>
> *** Dmesg output:
>
> Copyright (c) 1992-2004 The FreeBSD Project.
> Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
> The Regents of the University of California. All rights reserved.
> FreeBSD 5.2.1-RELEASE-p13 #2: Thu Feb 10 18:39:33 CST 2005
> diskiller at diablo.diskiller.net:/junk/obj/junk/src/sys/DIABLO
> Preloaded elf kernel "/boot/kernel/kernel" at 0xc076c000.
> MPTable: <OEM00000 PROD00000000>
> Timecounter "i8254" frequency 1193182 Hz quality 0
> CPU: Pentium III/Pentium III Xeon/Celeron (504.72-MHz 686-class CPU)
> Origin = "GenuineIntel" Id = 0x673 Stepping = 3
>
> Features=0x387fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA
>, CMOV,PAT,PSE36,PN,MMX,FXSR,SSE>
> real memory = 536870912 (512 MB)
> avail memory = 516034560 (492 MB)
> FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
> cpu0 (BSP): APIC ID: 0
> cpu1 (AP): APIC ID: 1
> ioapic0: Assuming intbase of 0
> ioapic0 <Version 1.1> irqs 0-23 on motherboard
> Pentium Pro MTRR support enabled
> npx0: [FAST]
> npx0: <math processor> on motherboard
> npx0: INT 16 interface
> pcibios: BIOS version 2.10
> Using $PIR table, 7 entries at 0xc00fdcf0
> pcib0: <Intel 82443BX (440 BX) host to PCI bridge> at pcibus 0 on
> motherboard
> pci0: <PCI bus> on pcib0
> pci_cfgintr: 0:10 INTA BIOS irq 10
> pci_cfgintr: 0:12 INTA BIOS irq 11
> agp0: <Intel 82443BX (440 BX) host to PCI bridge> mem 0xd0000000-0xd3ffffff
> at device 0.0 on pci0
> pcib1: <PCI-PCI bridge> at device 1.0 on pci0
> pci1: <PCI bus> on pcib1
> isab0: <PCI-ISA bridge> at device 7.0 on pci0
> isa0: <ISA bus> on isab0
> atapci0: <Intel PIIX4 UDMA33 controller> port 0xf000-0xf00f at device 7.1
> on pci0
> ata0: at 0x1f0 irq 14 on atapci0
> ata0: [MPSAFE]
> ata1: at 0x170 irq 15 on atapci0
> ata1: [MPSAFE]
> uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xe000-0xe01f at
> device 7.2 on pci0
> pci_cfgintr: 0:7 INTD routed to irq 11
> usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0
> usb0: USB revision 1.0
> uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
> uhub0: 2 ports with 2 removable, self powered
> piix0: <PIIX Timecounter> port 0x5000-0x500f at device 7.3 on pci0
> Timecounter "PIIX" frequency 3579545 Hz quality 0
> pci0: <display, VGA> at device 8.0 (no driver attached)
> rl0: <RealTek 8139 10/100BaseTX> port 0xe400-0xe4ff mem
> 0xd7000000-0xd70000ff irq 10 at device 10.0 on pci0
> rl0: Ethernet address: 00:00:21:f2:a5:47
> miibus0: <MII bus> on rl0
> rlphy0: <RealTek internal media interface> on miibus0
> rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
> rl1: <RealTek 8139 10/100BaseTX> port 0xe800-0xe8ff mem
> 0xd7001000-0xd70010ff irq 11 at device 12.0 on pci0
> rl1: Ethernet address: 00:40:f4:90:1c:4b
> miibus1: <MII bus> on rl1
> rlphy1: <RealTek internal media interface> on miibus1
> rlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
> orm0: <Option ROMs> at iomem 0xc8000-0xcbfff,0xc0000-0xc7fff on isa0
> pmtimer0 on isa0
> atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0
> atkbd0: <AT Keyboard> irq 1 on atkbdc0
> kbd0 at atkbd0
> fdc0: ready for input in output
> fdc0: cmd 3 failed at out byte 1 of 3
> sc0: <System console> at flags 0x100 on isa0
> sc0: VGA <16 virtual consoles, flags=0x300>
> sio0: configured irq 4 not in bitmap of probed irqs 0
> sio0: port may not be enabled
> sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
> sio0: type 8250 or not responding
> sio1: configured irq 3 not in bitmap of probed irqs 0
> sio1: port may not be enabled
> vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
> unknown: <PNP0303> can't assign resources (port)
> unknown: <PNP0c02> can't assign resources (memory)
> unknown: <PNP0a03> can't assign resources (port)
> Timecounters tick every 10.000 msec
> ipfw2 initialized, divert enabled, rule-based forwarding enabled, default
> to deny, logging unlimited
> GEOM: create disk ad0 dp=0xc4445260
> ad0: 19569MB <WDC WD205AA-00BAA0> [39761/16/63] at ata0-master UDMA33
> GEOM: create disk ad2 dp=0xc4445c60
> ad2: 76319MB <ST380021A> [155061/16/63] at ata1-master UDMA33
> acd0: CDRW <SONY CD-RW CRX140E> at ata1-slave PIO4
> SMP: AP CPU #1 Launched!
> Mounting root from ufs:/dev/ad0s1a
> pid 524 (my_print_defaults), uid 88: exited on signal 11
> pid 529 (my_print_defaults), uid 88: exited on signal 11
> pid 544 (mysqld), uid 88: exited on signal 11
> pid 700 (my_print_defaults), uid 1000: exited on signal 11 (core dumped)
> diablo:~>
>
> Dmesg output didn¹t look particularly different in 5.3-stable. The
> coredumps are due to the downgrade and being linked against newer libs from
> 5.3.
>
>
> *** Kernel configuration:
>
> diablo:/usr/src/sys/i386/conf> cat DIABLO
> #
> # GENERIC -- Generic kernel configuration file for FreeBSD/i386
> #
> # For more information on this file, please read the handbook section on
> # Kernel Configuration Files:
> #
> #
> http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-conf
>i g.html
> #
> # The handbook is also available locally in /usr/share/doc/handbook
> # if you've installed the doc distribution, otherwise always see the
> # FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
> # latest information.
> #
> # An exhaustive list of options and more detailed explanations of the
> # device lines is also present in the ../../conf/NOTES and NOTES files.
> # If you are in doubt as to the purpose or necessity of a line, check first
> # in NOTES.
> #
> # $FreeBSD: src/sys/i386/conf/GENERIC,v 1.413.2.8 2004/10/24 17:42:08
> scottl Exp $
>
> machine i386
> #cpu I486_CPU
> cpu I586_CPU
> cpu I686_CPU
> ident DIABLO
>
> # To statically compile in device wiring instead of /boot/device.hints
> #hints "GENERIC.hints" # Default places to look for
> devices.
>
> options SCHED_4BSD # 4BSD scheduler
> options INET # InterNETworking
> #options INET6 # IPv6 communications protocols
> options FFS # Berkeley Fast Filesystem
> options SOFTUPDATES # Enable FFS soft updates support
> options UFS_ACL # Support for access control lists
> options UFS_DIRHASH # Improve performance on big
> directories
> #options MD_ROOT # MD is a potential root device
> options NFSCLIENT # Network Filesystem Client
> options NFSSERVER # Network Filesystem Server
> #options NFS_ROOT # NFS usable as /, requires
> NFSCLIENT
> options MSDOSFS # MSDOS Filesystem
> options CD9660 # ISO 9660 Filesystem
> options PROCFS # Process filesystem (requires
> PSEUDOFS)
> options PSEUDOFS # Pseudo-filesystem framework
> options GEOM_GPT # GUID Partition Tables.
> options COMPAT_43 # Compatible with BSD 4.3 [KEEP
> THIS!]
> options COMPAT_FREEBSD4 # Compatible with FreeBSD4
> options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
> options KTRACE # ktrace(1) support
> options SYSVSHM # SYSV-style shared memory
> options SYSVMSG # SYSV-style message queues
> options SYSVSEM # SYSV-style semaphores
> options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
> extensions
> options KBD_INSTALL_CDEV # install a CDEV entry in /dev
> options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
> # output. Adds ~128k to driver.
> options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
> # output. Adds ~215k to driver.
> #options ADAPTIVE_GIANT # Giant mutex is adaptive.
>
>
> # Firewall
> options IPFIREWALL # Firewall (ipfw)
> options IPFIREWALL_VERBOSE # Verbose errors
> #options IPFIREWALL_FORWARD # Transparent forwarding
> options IPDIVERT # For NATD
> #options DUMMYNET # Traffic Shaping!
>
> # IPsec
> #options IPSEC
> #options IPSEC_ESP
>
> # To make an SMP kernel, the next two are needed
> options SMP # Symmetric MultiProcessor Kernel
> device apic # I/O APIC
>
> # Bus support. Do not remove isa, even if you have no isa slots
> device isa
> device eisa
> device pci
>
> # Floppy drives
> device fdc
>
> # ATA and ATAPI devices
> device ata
> device atadisk # ATA disk drives
> #device ataraid # ATA RAID drives
> device atapicd # ATAPI CDROM drives
> #device atapifd # ATAPI floppy drives
> #device atapist # ATAPI tape drives
> options ATA_STATIC_ID # Static device numbering
>
> # SCSI Controllers
> #device ahb # EISA AHA1742 family
> #device ahc # AHA2940 and onboard AIC7xxx devices
> #device ahd # AHA39320/29320 and onboard AIC79xx
> devices #device amd # AMD 53C974 (Tekram DC-390(T))
> #device isp # Qlogic family
> #device mpt # LSI-Logic MPT-Fusion
> #device ncr # NCR/Symbios Logic
> device sym # NCR/Symbios Logic (newer chipsets + those
> of `ncr')
> device trm # Tekram DC395U/UW/F DC315U adapters
>
> #device adv # Advansys SCSI adapters
> #device adw # Advansys wide SCSI adapters
> #device aha # Adaptec 154x SCSI adapters
> #device aic # Adaptec 15[012]x SCSI adapters,
> AIC-6[23]60.
> #device bt # Buslogic/Mylex MultiMaster SCSI adapters
>
> #device ncv # NCR 53C500
> #device nsp # Workbit Ninja SCSI-3
> #device stg # TMC 18C30/18C50
>
> # SCSI peripherals
> device scbus # SCSI bus (required for SCSI)
> #device ch # SCSI media changers
> device da # Direct Access (disks)
> #device sa # Sequential Access (tape etc)
> #device cd # CD
> #device pass # Passthrough device (direct SCSI access)
> #device ses # SCSI Environmental Services (and SAF-TE)
>
> # RAID controllers interfaced to the SCSI subsystem
> #device amr # AMI MegaRAID
> #device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
> #device ciss # Compaq Smart RAID 5*
> #device dpt # DPT Smartcache III, IV - See NOTES for
> options
> #device hptmv # Highpoint RocketRAID 182x
> #device iir # Intel Integrated RAID
> #device ips # IBM (Adaptec) ServeRAID
> #device mly # Mylex AcceleRAID/eXtremeRAID
> #device twa # 3ware 9000 series PATA/SATA RAID
>
> # RAID controllers
> #device aac # Adaptec FSA RAID
> #device aacp # SCSI passthrough for aac (requires CAM)
> #device ida # Compaq Smart RAID
> #device mlx # Mylex DAC960 family
> #device pst # Promise Supertrak SX6000
> #device twe # 3ware ATA RAID
>
> # atkbdc0 controls both the keyboard and the PS/2 mouse
> device atkbdc # AT keyboard controller
> device atkbd # AT keyboard
> device psm # PS/2 mouse
>
> device vga # VGA video card driver
>
> device splash # Splash screen and screen saver support
>
> # syscons is the default console driver, resembling an SCO console
> device sc
>
> # Enable this for the pcvt (VT220 compatible) console driver
> #device vt
> #options XSERVER # support for X server on a vt console
> #options FAT_CURSOR # start with block cursor
>
> device agp # support several AGP chipsets
>
> # Floating point support - do not disable.
> device npx
>
> # Power management support (see NOTES for more options)
> #device apm
> # Add suspend/resume support for the i8254.
> device pmtimer
>
> # PCCARD (PCMCIA) support
> # PCMCIA and cardbus bridge support
> #device cbb # cardbus (yenta) bridge
> #device pccard # PC Card (16-bit) bus
> #device cardbus # CardBus (32-bit) bus
>
> # Serial (COM) ports
> device sio # 8250, 16[45]50 based serial ports
>
> # Parallel port
> #device ppc
> #device ppbus # Parallel port bus (required)
> #device lpt # Printer
> #device plip # TCP/IP over parallel
> #device ppi # Parallel port interface device
> #device vpo # Requires scbus and da
>
> # If you've got a "dumb" serial or parallel PCI card that is
> # supported by the puc(4) glue driver, uncomment the following
> # line to enable it (connects to the sio and/or ppc drivers):
> #device puc
>
> # PCI Ethernet NICs.
> #device de # DEC/Intel DC21x4x (``Tulip'')
> #device em # Intel PRO/1000 adapter Gigabit Ethernet
> Card
> #device ixgb # Intel PRO/10GbE Ethernet Card
> #device txp # 3Com 3cR990 (``Typhoon'')
> #device vx # 3Com 3c590, 3c595 (``Vortex'')
>
> # PCI Ethernet NICs that use the common MII bus controller code.
> # NOTE: Be sure to keep the 'device miibus' line in order to use these
> NICs! device miibus # MII bus support
> #device bfe # Broadcom BCM440x 10/100 Ethernet
> #device bge # Broadcom BCM570xx Gigabit Ethernet
> #device dc # DEC/Intel 21143 and various workalikes
> #device fxp # Intel EtherExpress PRO/100B (82557,
> 82558) #device lge # Level 1 LXT1001 gigabit ethernet
> #device nge # NatSemi DP83820 gigabit ethernet #device
> pcn # AMD Am79C97x PCI 10/100 (precedence over 'lnc')
> #device re # RealTek 8139C+/8169/8169S/8110S
> device rl # RealTek 8129/8139
> #device sf # Adaptec AIC-6915 (``Starfire'')
> #device sis # Silicon Integrated Systems SiS 900/SiS
> 7016
> #device sk # SysKonnect SK-984x & SK-982x gigabit
> Ethernet
> #device ste # Sundance ST201 (D-Link DFE-550TX)
> #device ti # Alteon Networks Tigon I/II gigabit
> Ethernet
> #device tl # Texas Instruments ThunderLAN
> #device tx # SMC EtherPower II (83c170 ``EPIC'')
> #device vge # VIA VT612x gigabit ethernet
> #device vr # VIA Rhine, Rhine II
> #device wb # Winbond W89C840F
> #device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
>
> # ISA Ethernet NICs. pccard NICs included.
> #device cs # Crystal Semiconductor CS89x0 NIC
> # 'device ed' requires 'device miibus'
> #device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
> #device ex # Intel EtherExpress Pro/10 and Pro/10+
> #device ep # Etherlink III based cards
> #device fe # Fujitsu MB8696x based cards
> #device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
> #device lnc # NE2100, NE32-VL Lance Ethernet cards
> #device sn # SMC's 9000 series of Ethernet chips
> #device xe # Xircom pccard Ethernet
>
> # ISA devices that use the old ISA shims
> #device le
>
> # Wireless NIC cards
> #device wlan # 802.11 support
> #device an # Aironet 4500/4800 802.11 wireless NICs.
> #device awi # BayStack 660 and others
> #device wi # WaveLAN/Intersil/Symbol 802.11 wireless
> NICs.
> #device wl # Older non 802.11 Wavelan wireless NIC.
>
> # Pseudo devices.
> device loop # Network loopback
> #device mem # Memory and kernel memory devices
> #device io # I/O device
> device random # Entropy device
> device ether # Ethernet support
> #device sl # Kernel SLIP
> #device ppp # Kernel PPP
> device tun # Packet tunnel.
> device pty # Pseudo-ttys (telnet etc)
> device md # Memory "disks"
> device gif # IPv6 and IPv4 tunneling
> #device faith # IPv6-to-IPv4 relaying (translation)
>
> # The `bpf' device enables the Berkeley Packet Filter.
> # Be aware of the administrative consequences of enabling this!
> device bpf # Berkeley packet filter
>
> # USB support
> device uhci # UHCI PCI->USB interface
> device ohci # OHCI PCI->USB interface
> device usb # USB Bus (required)
> #device udbp # USB Double Bulk Pipe devices
> device ugen # Generic
> device uhid # "Human Interface Devices"
> device ukbd # Keyboard
> device ulpt # Printer
> device umass # Disks/Mass storage - Requires scbus and
> da device ums # Mouse
> #device urio # Diamond Rio 500 MP3 player
> #device uscanner # Scanners
> # USB Ethernet, requires mii
> #device aue # ADMtek USB Ethernet
> #device axe # ASIX Electronics USB Ethernet
> #device cue # CATC USB Ethernet
> #device kue # Kawasaki LSI USB Ethernet
> #device rue # RealTek RTL8150 USB Ethernet
>
> # FireWire support
> #device firewire # FireWire bus code
> #device sbp # SCSI over FireWire (Requires scbus and
> da) #device fwe # Ethernet over FireWire
> (non-standard!) diablo:/usr/src/sys/i386/conf>
>
>
> I simply commented out the lines that failed in 5.2 since they were for 5.3
> (ie, device io, device mem, and options ADAPTIVE_GIANT)
>
>
> *** Interfaces:
>
> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=8<VLAN_MTU>
> inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
> ether 00:00:21:f2:a5:47
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=8<VLAN_MTU>
> inet 144.136.223.204 netmask 0xfffffc00 broadcast 255.255.255.255
> ether 00:40:f4:90:1c:4b
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet 127.0.0.1 netmask 0xff000000
>
>
> *** Firewall:
>
> diablo:/home/diskiller# more /etc/firewall.diablo
> ########################################################################
> ### FIREWALL ###########################################################
> ########################################################################
>
> # external if = rl1
> # internal if = rl0
> # internal net = 10.0.0.0/24
>
> # EVIL SHIT
> add deny log tcp from any to any 137,138,139 via rl1
> add deny log udp from any to any 137,138,139 via rl1
>
> # Allow your loop back to work
> add allow all from any to any via lo0
>
> # DHCP
> add allow udp from any to any 67,68
>
> # Prevent spoofing of your loopback
> add deny log all from any to 127.0.0.0/8
> add deny log all from 127.0.0.0/8 to any
>
> # Stop spoofing of your internal network range
> add deny log ip from 10.0.0.0/24 to any in via rl1
>
> # Stop spoofing from inside your private ip range
> add deny log ip from not 10.0.0.0/24 to any in via rl0
>
> # Something from the bigpond network, and NEEDS to be here before below
> # rules block it. Its a heartbeat, among other things? *confusing*
> add allow ip from 10.64.28.1 to any in via rl1
>
> # Stop private networks (RFC1918) from entering the outside interface.
> add deny log ip from 192.168.0.0/16 to any in via rl1
> add deny log ip from 172.16.0.0/12 to any in via rl1
> add deny log ip from 10.0.0.0/8 to any in via rl1
> add deny log ip from any to 192.168.0.0/16 in via rl1
> add deny log ip from any to 172.16.0.0/12 in via rl1
> add deny log ip from any to 10.0.0.0/8 in via rl1
>
> # NATD
> add divert natd all from any to any via rl1
>
> # UDP
> add allow udp from any to any
>
> # Allow IPsec connections flow freely
> #add allow esp from any to any
>
> # Allow VPN data to flow free via rl2 (where my VPN to matt is over
> wireless)
> #add allow ipencap from any to any via rl2
>
> # Allow existing tcp connections open from inside my lan to keep working
> add allow tcp from any to any established
>
> # Allow internal lan machines to open connections to the gw/Internet
> add allow tcp from 10.0.0.0/24 to any setup # my lan
> #add allow tcp from 10.0.2.0/24 to any setup # wireless lan (+ homer)
> #add allow tcp from 10.0.4.0/24 to any setup # matt's lan
>
> # Allow gw to open connections to the Internet (tcp/udp/etc)
> add allow ip from 144.136.0.0/16 to any setup out via rl1
>
> # Allow some ICMP's
> add allow icmp from any to any icmptypes 3,4,11,12,8,0
>
> # Diablo services - Incoming connections allowed
> add allow tcp from any to any 21 in via rl1 setup
> add allow tcp from any to any 22 in via rl1 setup
> add allow tcp from any to any 25 in via rl1 setup
> add allow tcp from any to any 53 in via rl1 setup
> add allow tcp from any to any 80 in via rl1 setup
> #add allow tcp from any to any 110 in via rl1 setup
> #add allow tcp from any to any 143 in via rl1 setup
> add allow tcp from any to any 993 in via rl1 setup
> add allow tcp from any to any 995 in via rl1 setup
> #add allow tcp from any to any 3389 in via rl1 setup # RD
> #add allow tcp from any to any 6667 in via rl1 setup # IRC server
> #add allow tcp from 144.136.0.0/16 to any 5901 in via rl1 setup # VNC on
> diablo
> #add allow tcp from 203.194.94.0/24 to any 5901 in via rl1 setup # VNC on
> diablo
> #add allow tcp from any to any 6881 # Bit Torrent
> #add allow tcp from any to any 6882 # Bit Torrent
> #add allow tcp from any to any 6883 # Bit Torrent
> #add allow tcp from any to any 6884 # Bit Torrent
> #add allow tcp from any to any 6112 # SC/BW
>
> # UT2003/UT2004
> add allow tcp from any to any 7777 in via rl1 setup
> add allow tcp from any to any 7778 in via rl1 setup
> add allow tcp from any to any 7787 in via rl1 setup
> add allow tcp from any to any 7788 in via rl1 setup
>
> # Politely and quickly rejects AUTH requests (IRC!! #*()@$@#$)
> add reset tcp from any to any 113 in via rl1
>
> # Make the default 'deny' rule log too.
> add 65500 deny log ip from any to any
> diablo:/home/diskiller#
>
>
>
> I really hope someone can figure this one out...
>
> Thanks,
> Martin.
>
> --
> diskiller at diskiller.net | www.diskiller.net | irc.diskiller.net
>
> (No trees were destroyed in the sending of this message. However, a
> large number of electrons were significantly inconvenienced.)
>
>
>
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050210/a2b6d15c/attachment-0001.bin
More information about the freebsd-stable
mailing list