Weird lockup of network traffic...
Jose Hidalgo Herrera
jose at hostarica.net
Mon Dec 6 11:58:07 PST 2004
It seem you need a "check-state" rule somewhere !
You also have very insecure sets
your rule #99 its a waste,
you use keep-state, but never match the
dynamic rules with check-state
Give me your complete set and I'll try to
fix it.
El lun, 06-12-2004 a las 18:43 +0300, martes wigglesworth escribió:
> Hello list.
>
> I have experienced a very unusual glich, that I cannot explain. All of
> a sudden, my network router box became non-complient with internet
> traffic requests. At first, I thought that it was because I had to
> restart bind 8 with ndc resart, however, after restarting the service, I
> still continued to recieve failed server errors. After attempting to
> ping my provider, I noticed that I came accross this message:ping:
>
> sendto: No buffer space available
> ping: sendto: No buffer space available
> ping: sendto: No buffer space available
> ping: sendto: No buffer space available
>
> What does this indicate? I am still learning, and do not have
> significant experience/knowledge with any type of frame buffers, or
> kernel programming. I can only suspect that maybe my firewalling rules
> clogged some sort of buffers for the kernel. I don't really know, that
> is the only thing that I can think of. I have the following firewalling
> rules setup:
>
> 00098 124 8614 allow ip from any to any via lo0
> 00099 0 0 allow ip from 127.0.0.1 to 127.0.0.1
> 00100 617 69897 allow tcp from any to any dst-port 22 setup
> keep-state
> 00102 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port
> 67,68 setup keep-state
> 00103 0 0 allow udp from any to any dst-port 53 via
> keep-state
> 00104 685 79362 deny udp from any to any dst-port 137,138,513
> 00106 0 0 allow udp from any to any dst-port 33435-33524
> keep-state
> 00110 0 0 allow log ip from any to { 192.168.1.0/24 or dst-ip
> 192.168.2.0/24 } in recv sis0
> 00200 15704 10185681 divert 8668 ip from any to any via sis0
> 00300 6267 8810869 queue 1 log ip from any to 192.168.1.0/24 out {
> xmit xl0 or xmit rl0 }
> 00301 1715 777060 queue 2 log ip from any to 192.168.2.0/24 out {
> xmit xl0 or xmit rl0 }
> 65535 25856 10939503 allow ip from any to any
>
> My pipe configs are as follows:
> 00001: 256.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> 00002: 128.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> q00001: weight 1 pipe 1 50 sl. 4 queues (64 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> Pkt/Byte Drp
> 12 ip 0.0.0.0/0 192.168.1.28/0 56 4856 0
> 0 0
> 15 ip 0.0.0.0/0 192.168.1.31/0 136 20860 0
> 0 0
> 26 ip 0.0.0.0/0 192.168.1.10/0 6294 9165950 0
> 0 0
> 35 ip 0.0.0.0/0 192.168.1.51/0 46 5351 0
> 0 0
> q00002: weight 1 pipe 2 50 sl. 4 queues (64 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> Pkt/Byte Drp
> 11 ip 0.0.0.0/0 192.168.2.27/0 29 4396 0
> 0 0
> 13 ip 0.0.0.0/0 192.168.2.29/0 156 62105 0
> 0 0
> 44 ip 0.0.0.0/0 192.168.2.60/0 1659 812626 0
> 0 0
> 53 ip 0.0.0.0/0 192.168.2.37/0 26 1176 0
> 0 0
>
> Any help is much appreciated.
>
--
Jose Hidalgo Herrera <jose at hostarica.net>
Corp. Hostarica
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
digitalmente
Url : http://lists.freebsd.org/pipermail/freebsd-newbies/attachments/20041206/2ceb6a5b/attachment.bin
More information about the freebsd-newbies
mailing list