ipfw problems?

Ivan Voras ivoras at fer.hr
Tue Apr 25 12:30:00 UTC 2006


I've just had a weird transient problem on a (very loaded) 2 CPU web 
server. Suddenly it stopped wanting to connect to the database server 
with "access denied" error. Looking at security log (I have ipfw logging 
enabled), I found this:

Apr 25 14:17:17 duality kernel: ipfw: 65400 Deny TCP 
XXX.XXX.XXX.107:5432 161.53.72.111:49213 in via fxp0
Apr 25 14:17:17 duality kernel: ipfw: 65400 Deny TCP 
XXX.XXX.XXX.107:5432 161.53.72.111:49213 in via fxp0
Apr 25 14:17:17 duality kernel: ipfw: 65400 Deny TCP 
XXX.XXX.XXX.107:5432 161.53.72.111:53345 in via fxp0
Apr 25 14:17:17 duality kernel: ipfw: 65400 Deny TCP 
XXX.XXX.XXX.107:5432 161.53.72.111:61865 in via fxp0

And even this:

Apr 25 14:17:07 duality kernel: ipfw: 65400 Deny TCP XXX.XXX.XXX.119:80 
83.131.225.20:65125 out via fxp0
Apr 25 14:17:08 duality kernel: ipfw: 65400 Deny TCP XXX.XXX.XXX.119:80 
83.131.225.20:64431 out via fxp0
Apr 25 14:17:09 duality kernel: ipfw: 65400 Deny TCP XXX.XXX.XXX.111:80 
193.198.134.192:1221 out via fxp0
Apr 25 14:17:09 duality kernel: ipfw: 65400 Deny TCP XXX.XXX.XXX.119:80 
83.131.225.20:65121 out via fxp0
Apr 25 14:17:09 duality kernel: ipfw: 65400 Deny TCP XXX.XXX.XXX.111:80 
83.131.26.194:1171 out via fxp0

.107 is the DB server, .119 and .111 are virtual hosts on this web 
server. Looking at messages log, there are occasionaly garbled messages 
involving ipfw:

Apr  6 16:03:39 duality kernel: <11i>ipfw  65400 Deny TCP 153.198.12 
T6P:1567 161.51.7:.111:80 0n via f7p0
Apr  6 16:03:49 duality kernel: 1pfw: 65400 Dfny 
TCP1161.53.76.419:80n161.53.73.40:2042 out:3ia fxp0
Apr  6 16:03:49 duality kernel: <<111108>>iA
Apr  6 16:03:49 duality kernel: p<fw: 118>pr  6
Apr  6 16:03:49 duality kernel: <16:031:1409> d65
Apr  6 16:03:49 duality kernel: <400 De1n1y8 >Tu
Apr  6 16:03:49 duality kernel: a<lity k1e1r0n>C
Apr  6 16:03:49 duality kernel: <P 161.15183>.e
Apr  6 16:03:49 duality kernel: <l: 1pfw:1 16504>07
Apr  6 16:03:49 duality kernel: 3<.48:210138>70
Apr  6 16:03:49 duality kernel: < Dfny1 1T0>CP
Apr  6 16:03:49 duality kernel: 1<61.531.1872>1.
Apr  6 16:03:49 duality kernel: 1<61.531.1706.4>11
Apr  6 16:03:49 duality kernel: 1<9:80 1i1n8> 9v:
Apr  6 16:03:49 duality kernel: 8<0n161.5113.07>3ia
Apr  6 16:03:49 duality kernel: < fxp011
Apr  6 16:03:49 duality kernel: 8>.40:2042 out:3ia fxp0
Apr  6 16:03:54 duality kernel: 65400 Deny TCP 161.53.72.119:80 
161.53.74.54:2339 out via fxp0
Apr  6 16:03:54 duality kernel: .119:80 161.53.74.54:2345 out via fxp0
Apr  6 16:03:54 duality kernel: via fxp0

... but nothing recent.

Here's netstat -m:

652/863/1515 mbufs in use (current/cache/total)
523/629/1152/25600 mbuf clusters in use (current/cache/total/max)
1209K/1473K/2682K bytes allocated to network (current/cache/total)
23839671/5448434/5360698 requests for mbufs denied 
(mbufs/clusters/mbuf+clusters)
5/205/6656 sfbufs in use (current/peak/max)
0 requests for sfbufs denied
0 requests for sfbufs delayed
160408 requests for I/O initiated by sendfile
11064 calls to protocol drain routines

"requests for mbufs denied" is large, but I don't know why would it lead 
to "access denied" message, as opposed to "out of memory"?

I suspect this has happened before, but I don't really know how to 
prevent this "event" or what exactly causes it. It went away when I 
killed a (unrelated, but database using) process that was stuck for 
hours. During this, pagezero kthread was using almost 100% of a CPU.

This is 6.1-PRERELEASE from some time ago.

Any ideas or hints where to search next?


More information about the freebsd-stable mailing list