Date: Mon, 06 Dec 2004 10:35:03 -0600 From: Jose Hidalgo Herrera <jose@hostarica.net> To: martes.wigglesworth@us.army.mil Cc: freebsd-questions <freebsd-questions-request@freebsd.org> Subject: Re: Weird lockup of network traffic... Message-ID: <1102350903.43918.5.camel@jose.hostarica.net> In-Reply-To: <1102347832.675.41.camel@Mobile1.276NET> References: <1102347832.675.41.camel@Mobile1.276NET>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-pMjhHMtGRdU+5qgf3Q9a
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
It seem you need a "check-state" rule somewhere !
You also have very insecure sets
your rule #99 its a waste,=20
you use keep-state, but never match the=20
dynamic rules with check-state
Give me your complete set and I'll try to=20
fix it.
El lun, 06-12-2004 a las 18:43 +0300, martes wigglesworth escribi=F3:
> Hello list.
>=20
> I have experienced a very unusual glich, that I cannot explain. All of
> a sudden, my network router box became non-complient with internet
> traffic requests. At first, I thought that it was because I had to
> restart bind 8 with ndc resart, however, after restarting the service, I
> still continued to recieve failed server errors. After attempting to
> ping my provider, I noticed that I came accross this message:ping:
>=20
> sendto: No buffer space available
> ping: sendto: No buffer space available
> ping: sendto: No buffer space available
> ping: sendto: No buffer space available
>=20
> What does this indicate? I am still learning, and do not have
> significant experience/knowledge with any type of frame buffers, or
> kernel programming. I can only suspect that maybe my firewalling rules
> clogged some sort of buffers for the kernel. I don't really know, that
> is the only thing that I can think of. I have the following firewalling
> rules setup:
>=20
> 00098 124 8614 allow ip from any to any via lo0
> 00099 0 0 allow ip from 127.0.0.1 to 127.0.0.1
> 00100 617 69897 allow tcp from any to any dst-port 22 setup
> keep-state
> 00102 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port
> 67,68 setup keep-state
> 00103 0 0 allow udp from any to any dst-port 53 via
> keep-state
> 00104 685 79362 deny udp from any to any dst-port 137,138,513
> 00106 0 0 allow udp from any to any dst-port 33435-33524
> keep-state
> 00110 0 0 allow log ip from any to { 192.168.1.0/24 or dst-ip
> 192.168.2.0/24 } in recv sis0
> 00200 15704 10185681 divert 8668 ip from any to any via sis0
> 00300 6267 8810869 queue 1 log ip from any to 192.168.1.0/24 out {
> xmit xl0 or xmit rl0 }
> 00301 1715 777060 queue 2 log ip from any to 192.168.2.0/24 out {
> xmit xl0 or xmit rl0 }
> 65535 25856 10939503 allow ip from any to any
>=20
> My pipe configs are as follows:
> 00001: 256.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> 00002: 128.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> q00001: weight 1 pipe 1 50 sl. 4 queues (64 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> Pkt/Byte Drp
> 12 ip 0.0.0.0/0 192.168.1.28/0 56 4856 0 =20
> 0 0
> 15 ip 0.0.0.0/0 192.168.1.31/0 136 20860 0 =20
> 0 0
> 26 ip 0.0.0.0/0 192.168.1.10/0 6294 9165950 0 =20
> 0 0
> 35 ip 0.0.0.0/0 192.168.1.51/0 46 5351 0 =20
> 0 0
> q00002: weight 1 pipe 2 50 sl. 4 queues (64 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> Pkt/Byte Drp
> 11 ip 0.0.0.0/0 192.168.2.27/0 29 4396 0 =20
> 0 0
> 13 ip 0.0.0.0/0 192.168.2.29/0 156 62105 0 =20
> 0 0
> 44 ip 0.0.0.0/0 192.168.2.60/0 1659 812626 0 =20
> 0 0
> 53 ip 0.0.0.0/0 192.168.2.37/0 26 1176 0 =20
> 0 0
>=20
> Any help is much appreciated.
>=20
--=20
Jose Hidalgo Herrera <jose@hostarica.net>
Corp. Hostarica
--=-pMjhHMtGRdU+5qgf3Q9a
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
digitalmente
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQBBtIo3Mb674RVSRIARAvc7AKCSSh+X19rVhqSr6XWYU060yDnnAgCeI0SI
JGc2e9FWp15ge/Ywgx6AuLg=
=mQ+3
-----END PGP SIGNATURE-----
--=-pMjhHMtGRdU+5qgf3Q9a--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1102350903.43918.5.camel>