network problems 7.0-p3: sendto: Operation not permitted

Jeremy Chadwick koitsu at FreeBSD.org
Thu Jul 24 11:12:45 UTC 2008 

On Thu, Jul 24, 2008 at 06:21:53AM -0400, Robert Jameson wrote:
> Still don't know whats going on, im currently sitting here with no firewall
> between me and the internet (very nervous) seeing if it fixes the problems,
> as of right this moment, still seeing permission denied errors.

Okay, then the problem isn't with pf, although f/w rules are the only
thing I've personally experienced which induces those messages.

How did you disable the firewall, by the way?

> > Can you provide uname -a output?  There was a "cable modem compatibility
> > fix" applied to FreeBSD a while ago (a user informed me of such),
> > although I do not know if it applies to you, as I do not know the
> > original symptoms.  I believe that fix was also just for TCP.
> >
> 
> FreeBSD cube.dawnshosting.com 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #5: Wed
> Jul 16 21:55:02 EDT 2008
> root at cube.dawnshosting.com:/usr/obj/usr/src/sys/CUBE
> i386
> 
> Was the patch applied upstream? if not and its not too much trouble can you
> point me in the direction of it.

The patch was applied to RELENG_7 on Marth 13th and RELENG_7_0 on June
19th.  I don't know which tag you're tracking for src, so I can't tell
you if you've got the patch or not:

1.141.2.4  +10 -2 src/sys/netinet/tcp_output.c
1.157.2.2  +5 -2 src/sys/netinet/tcp_var.h

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_output.c
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_var.h

For a discussion of this (read between the lines):

http://lists.freebsd.org/pipermail/freebsd-stable/2008-July/043595.html

> > > Jul 20 22:15:39 cube kernel: Limiting open port RST response from 318 to
> > 200
> > > packets/sec
> >
> > This indicates a high number of ICMP packets being received.  Keep in
> > mind this can also be seen due to TCP connections which are being reset
> > and other such things -- ICMP is at a higher layer than TCP.
> >
> > I don't think there's necessarily anything "wrong" with that number (you
> > show up to 740), but it would be worthwhile investigating what's
> >
> 
> > soliciting that amount of ICMP traffic.  Are you seeing this 24x7x365?
> 
> 
> Yes its constant. let it me known i also have a 2 network cards in the
> machne, 1 into my cable modem and nother into a linksys 16port vpn router.
> the defaultrouter is set to a WAN IP (not 10.192.240.1), not that any of
> that matters, i dont think?

No one will know without you describing your network (with IPs and
netmasks), and providing netstat -rn output.

> > > /etc/sysctl.conf
> > > net.inet.icmp.icmplim=2000
> > >
> > > I know it seems abit high, but i kept adjusting until the error went
> > away.
> > > (not really fixing the problem?)
> >
> > It's not a big high; FreeBSD's 200 default is too low for any production
> > server, if you ask me.  Setting it to 2000 is probably fine.
> 
> 
> I read a bit about it from the handbook, i think it's a non issue.
> 
> Might be worth mentioning the only real service change to this machine was
> an ircd daemon w/ about 500 users.

I see.  God help you.

Your file descriptor problem with bind may be because of this.  IRC
servers commonly chew socket resources at a crazy rate, especially if
you're under some form of TCP-based attack (which might also explain the
ICMP errors, induced by TCP RST).  You may want to look at the
kern.maxfiles and kern.maxfilesperproc sysctls, and read this.

http://www.freebsd.org/doc/en/books/handbook/configtuning-kernel-limits.html

I don't mean to be rude, but I'd highly recommend avoid running a public
IRC server unless you have significant familiarity with your OS, network
topology, and have a very robust firewall (read: Cisco or Juniper) *in
front* of the machine acting as an IRC server -- and even then, ask
yourself if it's worth it.  IRC servers are harassment magnets, and you
will end up being the target of that harassment.

> > > Is this an attack?
> > >
> > > 01:55:41.231722 IP cube.dawnshosting.com > purple.haze.bluntroll.in:
> > ICMP
> > > echo request, id 22055, seq 37084, length 64
> > > 01:55:42.232794 IP cube.dawnshosting.com > purple.haze.bluntroll.in:
> > ICMP
> > > echo request, id 22055, seq 37085, length 64
> >
> > At this rate (1 ICMP packet a second), absolutely not.  You also don't
> > mention which FQDN/IP is yours; I assume "cube.dawnshosting.com", based
> > on your local hostname in the above.  Your machine is sending out an
> > ICMP ping packet to purple.haze.bluntroll.in every 1 second.  If you
> > don't know why, you need to investigate why.
> >
> 
> Correct, cube.dawnshosting.com is the actual FreeBSD machinr.
> sorry for the newbish question, off the top of your head how can i see
> who/what is using this process?

FreeBSD comes with sockstat, which should suffice for this.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-stable mailing list