Date: Wed, 27 Nov 2002 18:16:05 +0200 (EET) From: "BigBrother (BigB3)" <bigbrother@bonbon.net> To: freebsd-questions@freebsd.org Subject: Statefull IPFW + YP/NIS => Server hang. Message-ID: <20021127175133.C79291-100000@bigb3server.bbcluster.gr>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SORT: Stetefull IPFW rules combined in a router that is a ypclient may make the box loose connectivity and a irreleavent error "too many dynamic rules" appear in the log eventhough only <20 dynamic rules may exist. LONG: I am reporting a strange observation that happened on my network. My P166 router/firewall box runs 4.7 -p2 For many years this box was running a STATELESS ipfw firewall and was using another NIS server to have account information (shared passwd file). Some days ago I changed the STELESS ipfw firewall to statefull IPFW with NATD also support. For the first couple of hours all things where normal. After some time (t>2h) my logs start flooding by messages NIS SERVER [XXX] for domain "XXXX" not responding... and after this a message "/kernel: Too many dynamic rules, sorry" The box at the first occurence of this message lost all connectivity with the net (internal+external), although INTERNAL rules were stateless rules (e.g. they have no KEEP-STATE). I was barely to login to the box from console and when I did ipfw -d show, only 10 dynamic rules existed... but the messages keep complaining 'too many dynamic rules' My sysct variable that defines the #dynamic rules was not changed and it was 1000. ipfw -f flush had no effect on the system. I was forced to reboot the machine as the only solution. This was repeated for many times. finally I removed the ypbind (yp client) from my freebsd box thus only root could login (why normal users to login to the firewall after all). After this all the things were normal again. And my measring the number of dynamic rules for different times is < 20. So my network is not overloaded. Conclusion: For some reason when dynamic rules are used the firewall box queries the yp server for information, but with a very big rate. My NIS server is a slackware linux 166 box running 2.2 series kernel for 2 years and nobody is touching it, because all things work there nicely. Although this box can handle queries with a small rate, when is overhelming by queries it may delay to answer it. Solution: Dont run STATEFULL IPFW firewall on a box that acts as a client to a NIS/YP network (especially if the NIS server cannot keep up with tooo many queries simultaneously). p.s. And for people that will ask. I still run linux on that box behind firewall because it has a lot of ext2fs hard discs (180GB) with a lot of data and I cannot covnert them to FFS to change the OS to linux. - --- We are being monitored..but there is a solution... Use PGP for signing and encrypting emails!!!! Download my public key at http://www.us.pgp.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE95O/HGe/V3CxAyHoRAvVCAJ0azIYeBt7V6GavCqWVHhA2dzDtMQCgo5VO 7uhiverd6gZ+zBfnGbbC1I8= =voim -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021127175133.C79291-100000>