Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 03 Mar 2005 12:37:55 -0600
From:      Paul Schmehl <pauls@utdallas.edu>
To:        FreeBSD questions <freebsd-questions@freebsd.org>
Subject:   ipfw lost its mind?
Message-ID:  <302EDA302808644CF37C11E5@utd49554.utdallas.edu>
next in thread | raw e-mail | index | archive | help 
I maintain a small hobby website running on FreeBSD 4.9 SECURITY.  I'm 
paranoid about security and religious about updates (kernel and ports). 
Recently, the server began to exhibit odd behavior that looked for all the 
world like name resolution issues.

I had recently updated bind to 9.0.3_1, so I assumed that was the likely 
culprit and I began to troubleshoot.  Bind was acting flaky, so I 
deinstalled it and install 8.4 instead.  It still complained about the 
socket file (which is what 9.0.3_1 did) so I decided to dump bind and 
installed djbdns instead.  (Best thing I ever did.  Response is much 
better.)

However, the sluggishness problem continued.  Last night I drove back over 
to the server and, after checking some things, I discovered some very 
strange behavior from ipfw.

Even though my script has been working fine for over three years, I found 
that when I added a rule to allow all (ipfw add 00001 allow ip from any to 
any) the server immediately began to process traffic normally.

Keep in mind, before I made this change, you could still access the 
website.  It was just slower than molasses.  Ssh and mail sessions timed 
out and were unusable.

So, I removed rule 00001 and created a new one like this:
ipfw add 00050 allow ip from {my workstation at work) to any.

I then ssh'd to my workstation and attempted to ssh back to the server.  No 
go.  Yet ipfw show shows an increased packet count on the counter for that 
rule.  So, it's seeing the packets, but they're being delayed somehow.

Why the allow ip from any to any works, but allow ip from my workstation to 
any doesn't is a complete mystery to me.

To make a long story short, I disabled the firewall and everything is 
running normally.

My question is, has anyone else seen recent strange behavior from ipfw?  Or 
has anyone seen this *kind* of behavior from ipfw and knows what the cause 
is?

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?302EDA302808644CF37C11E5>