Date: Sun, 24 Mar 2002 15:38:30 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Jonathan Belson <jon@witchspace.com> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: Network slowdowns... Message-ID: <20020324153830.A82432@blossom.cjclark.org> In-Reply-To: <3C9DACD5.8070403@witchspace.com>; from jon@witchspace.com on Sun, Mar 24, 2002 at 10:39:17AM %2B0000 References: <3C9C7D92.1000706@witchspace.com> <3C9DACD5.8070403@witchspace.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Mar 24, 2002 at 10:39:17AM +0000, Jonathan Belson wrote:
> Jonathan Belson wrote:
> > Hiya
> >
> >
> > I've recently been experiencing slowdowns on my server's outgoing
> > network port, which occur after half a day to a day after the last
> > reboot.
>
> After trying a few things that were suggested to me, I realised
> what the problem was. Without the DEFAULT_TO_ACCEPT option my
> DHCP client couldn't re-lease the IP from my ISP's DHCP servers
> and presumably ended up using an invalid IP..
>
> I've added the following firewall rules:
>
> # DHCP
> ${fwcmd} add pass tcp from any to ${oip} 67 setup
> ${fwcmd} add pass udp from any to ${oip} 67
> ${fwcmd} add pass udp from ${oip} 67 to any
> ${fwcmd} add pass tcp from any to ${oip} 68 setup
> ${fwcmd} add pass udp from any to ${oip} 68
> ${fwcmd} add pass udp from ${oip} 68 to any
>
> and removed the line
>
> ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
You can be a little more specific about it if you want. First, DHCP
never uses TCP even though those ports are reserved. Second, ports 67
and 68 are always the source and destination and vice-versa. Also, you
may know the range of IPs in which your DHCP server lives. I used to
use the following rules in my rc.firewall. The "external" rules really
mean this machine is a DHCP client, and the "internal" rules were for
the machine acting as a DHCP server for the internal NAT'ed
network (it is assumed that UDP from $iip to valid internal addresses
is freely passed elsewhere in the rules). To use these, for any
interface that is being configured via DHCP, you must also set,
dhcps_if0="192.0.2.0/24"
dhcpc_if0="192.0.2.0/24"
Where the first is the IP range for the server for interface if0, and
the second is the valid range of client IPs that may be addressed to
if0. If you don't have any idea what a value might be, use "any".
Obviously, any valid IP address or network format can be used for
either.
############
# Let external DHCP work
for dhclient_interface in ${network_interfaces}; do
eval ifconfig_args=\$ifconfig_${dhclient_interface}
case ${ifconfig_args} in
[Dd][Hh][Cc][Pp])
eval dhcpc_range=\$dhcpc_$dhclient_interface
eval dhcps_range=\$dhcps_$dhclient_interface
$fwcmd add pass udp from ${dhcpc_range} 68 to ${dhcps_range} 67 out via ${dhclient_interface}
$fwcmd add pass udp from ${dhcps_range} 67 to ${dhcpc_range} 68 in via ${dhclient_interface}
$fwcmd add pass udp from 0.0.0.0 68 to 255.255.255.255 67 out via ${dhclient_interface}
$fwcmd add pass udp from ${dhcps_range} 67 to 255.255.255.255 68 in via ${dhclient_interface}
;;
esac
done
############
# Let internal DHCP work
if [ "$dhcpd_interface" ]; then
$fwcmd add pass udp from 0.0.0.0 68 to 255.255.255.255 67 in via ${dhcpd_interface}
$fwcmd add pass udp from ${iip} 67 to 255.255.255.255 68 out via ${dhcpd_interface}
fi
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020324153830.A82432>