Date: Thu, 4 Feb 1999 12:29:07 -0600 (CST) From: toasty@dragondata.com To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: kern/9910: Heavy traffic renders FreeBSD acting as firewall unusable Message-ID: <199902041829.MAA03181@dreams.dragondata.com>
next in thread | raw e-mail | index | archive | help
>Number: 9910
>Category: kern
>Synopsis: Heavy traffic renders FreeBSD acting as firewall unusable
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Feb 4 10:30:00 PST 1999
>Closed-Date:
>Last-Modified:
>Originator: Kevin Day
>Release: FreeBSD 3.0-RELEASE i386
>Organization:
DragonData Internet Services
>Environment:
FreeBSD 3.0-RELEASE system positioned between my router and my switch,
acting as a firewall, using ipfw.
FreeBSD 3.0-RELEASE #3: Thu Nov 26 01:53:51 CST 1998
toasty@dreams.dragondata.com:/usr/src/sys/compile/DREAMS
Timecounter "i8254" frequency 1193182 Hz cost 3912 ns
Timecounter "TSC" frequency 200455820 Hz cost 124 ns
CPU: Pentium/P54C (200.46-MHz 586-class CPU)
Origin = "GenuineIntel" Id = 0x52c Stepping=12
Features=0x1bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8>
real memory = 67108864 (65536K bytes)
avail memory = 62947328 (61472K bytes)
Probing for devices on PCI bus 0:
chip0: <VIA 82C597 (Apollo VP3) system controller> rev 0x04 on pci0.0.0
chip1: <PCI to PCI bridge (vendor=1106 device=8598)> rev 0x00 on pci0.1.0
chip2: <VIA 82C586 PCI-ISA bridge> rev 0x41 on pci0.7.0
ide_pci0: <VIA 82C586x (Apollo) Bus-master IDE controller> rev 0x06 on
pci0.7.1
chip3: <VIA 82C586B USB host controller> rev 0x02 int d irq 11 on pci0.7.2
chip4: <VIA 82C586B ACPI interface> rev 0x10 on pci0.7.3
xl0: <3Com 3c905B Fast Etherlink XL 10/100BaseTX> rev 0x24 int a irq 10 on
pci0.8.0
xl0: Ethernet address: 00:10:4b:74:fc:cb
xl0: autoneg not complete, no carrier (forcing half-duplex, 10Mbps)
fxp0: <Intel EtherExpress Pro 10/100B Ethernet> rev 0x05 int a irq 12 on
pci0.9.0
fxp0: Ethernet address 00:a0:c9:e5:5c:ad
de0: <Digital 21140A Fast Ethernet> rev 0x22 int a irq 5 on pci0.10.0
de0: 21140A [10-100Mb/s] pass 2.2
de0: address 00:40:05:41:d3:32
vga0: <S3 968 graphics accelerator> rev 0x00 int a irq 9 on pci0.11.0
bash-2.02$ ifconfig -a
xl0: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:10:4b:74:fc:cb
media: 10baseT/UTP <half-duplex> (autoselect)
supported media: autoselect 100baseTX <full-duplex> 100baseTX
<half-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP <half-duplex>
10baseT/UTP
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 204.137.237.240 netmask 0xffffff00 broadcast 204.137.237.255
inet 205.253.12.240 netmask 0xffffff00 broadcast 205.253.12.255
inet 204.137.237.151 netmask 0xffffffff broadcast 204.137.237.151
ether 00:a0:c9:e5:5c:ad
media: autoselect
supported media: autoselect 100baseTX <full-duplex> 100baseTX
10baseT/UTP <full-duplex> 10baseT/UTP
de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 204.137.237.253 netmask 0xfffffffc broadcast 204.137.237.255
inet 205.253.12.253 netmask 0xfffffffc broadcast 205.253.12.255
ether 00:40:05:41:d3:32
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX
10baseT/UTP <full-duplex> 10baseT/UTP
>Description:
We had a user run the program 'bmb' (available from rootshell, i believe)
directed at a dialup user on another ISP. This program sends packets as
quickly as possible to an address given.
While the server sending the packets was fine (had a load average of .80,
but otherwise no problems), the router was fine (showed about 2MB/sec coming
into its ethernet address) but the firewall wasn't.
Internet <-- Router <-- de0 <- (firewall) -> fxp0 --> switch --> lan
Pinging/telnetting to the address on the fxp0 interface got no response, from
either side of the network.
I got ping responses on the de0 interface address from both the internet
and the lan, a telnet would connect, but i'd never get a login response.
After figuring out what was going on, I killed the program, and everything
returned to normal. The load average on the firewall was still 0.00, 0.00,
0.00 (I know that a lot of what would have been going on was in the kernel
though)
No errors were generated, and I got no clues as to what was happening. The
system was also unresponsive to the console during this. A case of too many
interrupts, perhaps?
>How-To-Repeat:
Try 'bmb' through a firewall system
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902041829.MAA03181>