From owner-freebsd-net@FreeBSD.ORG  Wed Mar 14 06:12:04 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 21B8E106566C
	for <freebsd-net@freebsd.org>; Wed, 14 Mar 2012 06:12:04 +0000 (UTC)
	(envelope-from kob6558@gmail.com)
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com
	[74.125.82.182])
	by mx1.freebsd.org (Postfix) with ESMTP id A77348FC19
	for <freebsd-net@freebsd.org>; Wed, 14 Mar 2012 06:12:03 +0000 (UTC)
Received: by wern13 with SMTP id n13so1711392wer.13
	for <freebsd-net@freebsd.org>; Tue, 13 Mar 2012 23:12:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=7RJSNjaxmt/nryt53zMXUM/x9jd+XSY3gYowTZa19yI=;
	b=zCmINyaM8NbW1P4wK/63gsb6U5jqwz9/53SelAOuC0e2f83e56pM+p8s8UpgCDyvt4
	A0rqbH7YA7ykfyZGNX9a4cQjSMB1pxBIUfbcHksXc4BXLdDfz21E2nw4dCRRnfJiHUwA
	v3iabKwue56qTvHMEdTT7s9maRKoU94BiAki0WKgEb7rvEDib85ED4pV4LFhocO4tTrL
	BxII/BHLKKFrkNIFavblLoc0QJGk008nqDc7xB6er6X+0mcm2V4iFXbrRwiAlWuSljdA
	eZ9wXo0cCMRPI9Z4mK6Hwv4ZGXNjTUPvMLPJHEqFj7oEZb00Dh/ZqX7vIYSL3AkmRPIo
	q44Q==
MIME-Version: 1.0
Received: by 10.180.104.137 with SMTP id ge9mr3110923wib.20.1331705522429;
	Tue, 13 Mar 2012 23:12:02 -0700 (PDT)
Received: by 10.223.143.3 with HTTP; Tue, 13 Mar 2012 23:12:02 -0700 (PDT)
In-Reply-To: <CAJsxnXY7aHNf7dvG+QLVqziWQe8HLHbFbttN-vNsai-MbOVCMA@mail.gmail.com>
References: <CAJsxnXY7aHNf7dvG+QLVqziWQe8HLHbFbttN-vNsai-MbOVCMA@mail.gmail.com>
Date: Tue, 13 Mar 2012 22:12:02 -0800
Message-ID: <CAN6yY1v1O9QiN3bAZ3jPJvzX=xsLAauSXJJjwhrZPYSnBfK_uw@mail.gmail.com>
From: Kevin Oberman <kob6558@gmail.com>
To: "nyoman.bogi@gmail.com" <nyoman.bogi@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: freebsd-net@freebsd.org
Subject: Re: firewall stuck
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2012 06:12:04 -0000

On Tue, Mar 13, 2012 at 7:27 PM, nyoman.bogi@gmail.com
<nyoman.bogi@gmail.com> wrote:
> dear guru,
>
> every time I open my firewall to allow SSH connection from Internet
> after few days my firewall always stuck. Stuck in here meaning
> that it deny all request (deny any from any).
> And after I "ipfw disable firewall" and then "ipfw enable firewall"
> everything works fine
>
> when I checked /var/log/messages I found lots of attempts
> people try to connect to my machine.
> why my machine get stuck when lots of people try to SSH to my machine?

We need a bit more information, especially your ipfw configuration. Is
it a statefull firewall? It sounds a lot like your state table might
be filling for some reason. Of course, if it is not a statefull
firewall, that idea is probably wrong, though it could be a
misconfiguration of some statefull rule that is inadvertently catching
the SSH attempts.

Have you done an 'ipfw show' to see what rules are being matched? it
may or may not provide a clue.
-- 
R. Kevin Oberman, Network Engineer
E-mail: kob6558@gmail.com