Date: Wed, 9 Aug 2000 15:39:24 -0400 From: Damien Tougas <damien@carroll.com> To: freebsd-questions@freebsd.org, freebsd-stable@freebsd.org Subject: Ipnat fails under load? Message-ID: <20000809153924.C18771@carroll.net>
next in thread | raw e-mail | index | archive | help
Hello, After some period of time (anywhere from days to weeks), ipnat stops working properly. We ran a tcpdump on the interface while the problem was occurring, just to see what was going on. What we found was that any new connections attempted from 10.0.0.0/8 were going through with the ack bit set only, it is like the initial packet was somehow blocked. As a result, the server we were trying to contact replied with a tcp reset since it thought that we were trying to connect to a session that did not exist. Our first thought was that we might have ran out of ports, but we have since found that there are typically no more than about 3000 sessions active when this occurrs. The only way to get it to work again is to clear the ipnat tables and rules and re-initialize them using the following sequence: /usr/sbin/ipnat -CF /usr/sbin/ipnat -f /etc/rc.nat After that, everything works just fine. The config file we use (rc.nat) is very simple: map de0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025:65000 There are currently no other firewall rules being used. All IP addresses on the machine are static. The reason we use the 0/32 designation is to maintain configuration file consistancy across all servers. We are running ipnat on FreeBSD version 3.4-Stable, I am not sure exactly what version of ipfilter it is, it is the one that comes as part of the base OS. Any ideas? Thanks for your help. -- Damien Tougas Carroll-Net, Inc. http://www.carroll.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000809153924.C18771>