From owner-freebsd-ipfw Sat Mar 23 8:41:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from opensrs.saignon.net (216-120-17-67.dsl.cust.tfb.com [216.120.17.67]) by hub.freebsd.org (Postfix) with ESMTP id 90F9237B419 for ; Sat, 23 Mar 2002 08:41:10 -0800 (PST) Received: from frankenmobl (216-120-17-17.dsl.cust.tfb.com [216.120.17.17]) by opensrs.saignon.net (8.11.6/8.11.3) with ESMTP id g2NGfob00681 for ; Sat, 23 Mar 2002 08:41:50 -0800 (PST) (envelope-from tony@saign.com) From: "Tony Saign" To: Subject: Problems after cvsup to 4.5 -stable 3/21 with ipfw Date: Sat, 23 Mar 2002 08:40:37 -0800 Message-ID: <000001c1d289$7641c9a0$1401a8c0@frankenmobl> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG After a recent cvsup to 4.5 -stable, I noticed my server to be EXTREMLY sluggish with ipfw enabled. Web pages hanging indefinately, mail download HORRIBLY slow! Turning ipfw off by add 0110 allow tcp from any to any via fxp0, things return to normal. I made no changes to my ruleset listed below. Can anyone offer any insight/help? (PLEASE!) Thanks, -Tony 00100 50 2516 allow ip from any to any via lo0 00110 3235 1131435 allow tcp from any to any via fxp0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from 168.120.0.0/16 to any 00500 0 0 deny tcp from 168.120.0.0/16 to any 00600 0 0 deny udp from 168.120.0.0/16 to any 00700 0 0 allow tcp from any to 216.40.33.39 55000 00800 6413 4145842 allow tcp from any to any out established 00900 120 5801 allow tcp from any to any keep-state out setup 01000 4591 321384 allow tcp from any to any established 01100 0 0 allow tcp from 216.120.17.24 to any 21 setup 01200 0 0 allow tcp from 216.188.41.2 to any 21 setup 01300 7 336 allow tcp from any to any 22 setup 01400 4 240 allow tcp from any to any 25 setup 01500 4 192 allow tcp from any to any 110 setup 01600 21 1008 allow tcp from any to any 80 setup 01700 0 0 allow tcp from any to any 443 setup 01900 0 0 allow udp from any 53 to any 53 in recv fxp0 02000 0 0 allow udp from any 53 to any 53 out xmit fxp0 02100 163 10540 allow udp from any 1024-65534 to any 53 02200 163 35814 allow udp from any 53 to any 1024-65534 02300 0 0 allow tcp from any 1024-65534 to any 53 02400 0 0 allow tcp from any 53 to any 1024-65534 02500 0 0 allow icmp from any to any icmptype 3 02600 0 0 allow icmp from any to any icmptype 4 02700 12 1008 allow icmp from any to any out icmptype 8 02800 12 1008 allow icmp from any to any in icmptype 0 02900 0 0 allow icmp from any to any in icmptype 11 03000 61 4416 deny log logamount 1000 ip from any to any 65535 0 0 deny ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Mar 23 16:45:23 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 1B9AF37B417 for ; Sat, 23 Mar 2002 16:45:21 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020324004515.QNLL1214.rwcrmhc54.attbi.com@blossom.cjclark.org>; Sun, 24 Mar 2002 00:45:15 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2O0jFn49336; Sat, 23 Mar 2002 16:45:15 -0800 (PST) (envelope-from cjc) Date: Sat, 23 Mar 2002 16:45:15 -0800 From: "Crist J. Clark" To: Tony Saign Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Problems after cvsup to 4.5 -stable 3/21 with ipfw Message-ID: <20020323164515.B48968@blossom.cjclark.org> References: <000001c1d289$7641c9a0$1401a8c0@frankenmobl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000001c1d289$7641c9a0$1401a8c0@frankenmobl>; from tony@saign.com on Sat, Mar 23, 2002 at 08:40:37AM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Mar 23, 2002 at 08:40:37AM -0800, Tony Saign wrote: > After a recent cvsup to 4.5 -stable, I noticed my server to be EXTREMLY > sluggish with ipfw enabled. > Web pages hanging indefinately, mail download HORRIBLY slow! > > Turning ipfw off by add 0110 allow tcp from any to any via fxp0, things > return to normal. > > I made no changes to my ruleset listed below. Can anyone offer any > insight/help? (PLEASE!) > > Thanks, > -Tony > > 00100 50 2516 allow ip from any to any via lo0 > 00110 3235 1131435 allow tcp from any to any via fxp0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 deny ip from 168.120.0.0/16 to any > 00500 0 0 deny tcp from 168.120.0.0/16 to any > 00600 0 0 deny udp from 168.120.0.0/16 to any > 00700 0 0 allow tcp from any to 216.40.33.39 55000 > 00800 6413 4145842 allow tcp from any to any out established > 00900 120 5801 allow tcp from any to any keep-state out setup > 01000 4591 321384 allow tcp from any to any established The 'keep-state' in 900 is totally pointless. Although off of the top of my head, I can't see a reason why this would be slowing you down, do you get better performance with that 'keep-state' gone? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Mar 23 21:43:21 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from opensrs.saignon.net (216-120-17-67.dsl.cust.tfb.com [216.120.17.67]) by hub.freebsd.org (Postfix) with ESMTP id E88FD37B41A; Sat, 23 Mar 2002 21:43:18 -0800 (PST) Received: from frankenmobl (216-120-17-17.dsl.cust.tfb.com [216.120.17.17]) by opensrs.saignon.net (8.11.6/8.11.3) with ESMTP id g2O5hwb01911; Sat, 23 Mar 2002 21:43:58 -0800 (PST) (envelope-from tony@saign.com) From: "Tony Saign" To: "'Crist J. Clark'" Cc: Subject: RE: Problems after cvsup to 4.5 -stable 3/21 with ipfw Date: Sat, 23 Mar 2002 21:42:46 -0800 Message-ID: <000101c1d2f6$b9af0f50$1401a8c0@frankenmobl> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Importance: Normal In-Reply-To: <20020323164515.B48968@blossom.cjclark.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Doesn't appear to make a difference :( Still hangs, if I kill the connection the machine picks up again,(or disable IPFW!). Even the console hangs! It just makes no sense to me. I have another identical server, I think I'll swap the HDD to see if it's a hardware issue!? I'll post the results after the test if problem still exists with a different motherboard. -Tony -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG] On Behalf Of Crist J. Clark Sent: Saturday, March 23, 2002 4:45 PM To: Tony Saign Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Problems after cvsup to 4.5 -stable 3/21 with ipfw The 'keep-state' in 900 is totally pointless. Although off of the top of my head, I can't see a reason why this would be slowing you down, do you get better performance with that 'keep-state' gone? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Mar 23 22:23:55 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 88F2437B400 for ; Sat, 23 Mar 2002 22:23:49 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020324062349.NIHM2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Sun, 24 Mar 2002 06:23:49 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2O6Nm780472; Sat, 23 Mar 2002 22:23:48 -0800 (PST) (envelope-from cjc) Date: Sat, 23 Mar 2002 22:23:47 -0800 From: "Crist J. Clark" To: Tony Saign Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Problems after cvsup to 4.5 -stable 3/21 with ipfw Message-ID: <20020323222347.G48968@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020323164515.B48968@blossom.cjclark.org> <000101c1d2f6$b9af0f50$1401a8c0@frankenmobl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000101c1d2f6$b9af0f50$1401a8c0@frankenmobl>; from tony@saign.com on Sat, Mar 23, 2002 at 09:42:46PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Mar 23, 2002 at 09:42:46PM -0800, Tony Saign wrote: > Doesn't appear to make a difference :( > > Still hangs, if I kill the connection the machine picks up again,(or > disable IPFW!). "Kill the connection?" What connection? What is being logged by that final 'deny log' rule during all of this? > Even the console hangs! Console hangs? What do you mean? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message