Date: Sun, 31 Mar 2013 20:58:08 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: "Don O'Neil" <lists@lizardhill.com> Cc: freebsd-questions@freebsd.org Subject: Re: Problems with IPFW causing failed DNS and FTP sessions Message-ID: <CAHu1Y70GrfKs9QQZDpm2rHXorEwWDebnd2=k5=LbVZLCdfzEJA@mail.gmail.com> In-Reply-To: <049d01ce2e89$c428ab80$4c7a0280$@com> References: <049d01ce2e89$c428ab80$4c7a0280$@com>
next in thread | previous in thread | raw e-mail | index | archive | help
It would be really helpful if you'd post the ruleset. At first glance, your stateful rules seem rather wrong, unless there's a check-state above. Also, in and out aren't discriminating enough - every packet is seen by the ruleset more than once. You should think in terms of interfaces, direction, etc. Are you doing NAT? Stateful rules with NAT are indeed possible, but subtle. Your problem has nothing to do with server load, and probably everything to do with not-terribly-well-conceived ruleset. Please post yours here. - M On Sun, Mar 31, 2013 at 8:34 PM, Don O'Neil <lists@lizardhill.com> wrote: > Hi everyone. recently my server started having issues with DNS and FTP > sessions either not resolving or timing out. I've tracked the issue down to > IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away. > > > > I have the basic rules like this for dns; > > > > 01160 allow udp from any to any dst-port 53 in keep-state > > 01161 allow tcp from any to any dst-port 53 in keep-state > > 01162 allow udp from any to any dst-port 53 out keep-state > > 01163 allow tcp from any to any dst-port 53 out keep-state > > > > When I try an nslookup sometimes they fail, sometimes they get through, even > if I change my DNS server to google, my ISP, or even OpenDNS. the firewall > seems to be causing the issue. > > > > I have about 65 rules in all. > > > > Any ideas what could be causing this? My server load is low, usually > hovering around .2 > > > > How can I look at the actual amount of traffic that the IPFW module is > processing and track down potential performance issues? My server isn't > pushing much data, only around 4-5 Mbps sustained. > > > > Thanks! > > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y70GrfKs9QQZDpm2rHXorEwWDebnd2=k5=LbVZLCdfzEJA>