Date: Mon, 16 Feb 2009 11:08:27 +0200 From: =?ISO-8859-1?Q?=D6zkan_KIRIK?= <ozkan@mersin.edu.tr> To: ipfw@freebsd.org Subject: in-kernel nat and stateful inspection hangs system 7.1 RELEASE Message-ID: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, i am using FreeBSD 7.1 RELEASE as gateway (about 2000 clients 90vlans via if_vlan) . My Server is HP DL380 G4. I am using the on board gigabit nic as wan interface which uses bge driver. My rule set is below: wan_intf="bge1" ipfw nat 100 config ip X.X.X.1 reset same_ports ipfw nat 101 config ip X.X.X.2 reset same_ports ipfw nat 102 config ip X.X.X.3 reset same_ports ... ... ipfw add 5 allow all from any to any layer2 ipfw add 50 checkstate ... ... Other port forwarding and static nat rules without keep-state ... ipfw add 50000 nat 100 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.1 to any setup keep-state via $wan_intf ipfw add 50000 nat 101 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.2 to any setup keep-state via $wan_intf ipfw add 50000 nat 102 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.3 to any setup keep-state via $wan_intf ... ... ipfw add 51000 nat 100 all from any to X.X.X.1 via $wan_intf ipfw add 51000 nat 101 all from any to X.X.X.2 via $wan_intf ipfw add 51000 nat 102 all from any to X.X.X.3 via $wan_intf ... ... About 2 Minutes later after apply this rule set, system writes that bge1 watchdog timeout --- resetting and then system hangs, keyboard doesnt response. No logs can be observed. When i remove all skipto and checkstate rules, system work properly without problems. I suspect about stateful inpection code. some sysctl variables are below: net.inet.ip.fw.dyn_max=32768 net.inet.ip.fw.dyn_ack_lifetime=100 net.inet.ip.fw.dyn_short_lifetime=10 net.inet.ip.fw.one_pass=0 net.inet.ip.dummynet.hash_size=256 kern.maxfiles=32000 kern.ipc.somaxconn=1024 net.inet.ip.process_options=0 net.inet.ip.fastforwarding=1 net.link.ether.ipfw=1 thanks for your interests
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1d3a1860902160108j372b4446pd21760984d253627>