From owner-freebsd-net@FreeBSD.ORG Sat May 17 15:40:18 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 18F86106567E for ; Sat, 17 May 2008 15:40:18 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 0554C8FC1A for ; Sat, 17 May 2008 15:40:17 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 28AF21CC033; Sat, 17 May 2008 08:23:48 -0700 (PDT) Date: Sat, 17 May 2008 08:23:48 -0700 From: Jeremy Chadwick To: Johan =?iso-8859-1?Q?Str=F6m?= Message-ID: <20080517152348.GA64850@eos.sc1.parodius.com> References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: Re: connect(): Operation not permitted X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 May 2008 15:40:18 -0000 On Sat, May 17, 2008 at 04:33:20PM +0200, Johan Ström wrote: > Hello > > I got a FreeBSD 7 machine running mail services (among other things). This > machine recently replaced a FreeBSD 6.2 machine doing the same tasks. > Now and then I need to send alot of mail to customers (mailing list), and > one thing i've noticed now after the change is that when I use a lot of > connections subsequently (high connection rate, even if they are very > shortlived) inside a jail (dunno if that has anything to do with it > though), I start to get Operation not permitted in return to connect(). > I've seen this in the PHP app that sends mail, when it tried to connect to > localhost, as well as from postfix when it have been trying to connect to > amavisd on localhost, but also from postfix when it has tried to connect to > remote SMTP servers. > > I do have PF for filtering, but there are no max-src-conn-rate limits > enabled for any rules that is used for this. However, from one of the jail > I do have a hfsc queue limiting the outgoing mail traffic from one jailed > IP. But I'm not sure that this would be the problem, since I've also seen > the problem when doing localhost connects in the jail, and also in other > jails on an entierly different IP that is not affected. > > Does anyone have any clues about what I can look at and tune to fix this? Operation not permitted is most commonly seen on machines using pf(4), where there are rules blocking certain outbound traffic. I believe this has nothing to do with max-src-conn-rate. Chances are some of your pf(4) rules are wrong. There is also the possibility that jails are causing your problem. I have no experience with jails, so I cannot comment on that. I'd consider re-posting your problem to freebsd-pf@freebsd.org, and include your entire pf ruleset, so people could analyse it. Output from "pfctl -s info" would also be benefitial. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |