[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Strange ipfilter behavior on 2.8-current

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: Strange ipfilter behavior on 2.8-current
From: Martin <martin_(_at_)_mediax_(_dot_)_com>
Date: Mon, 22 Jan 2001 14:36:31 -0800
Organization: MediaX Inc.
Reply-to: martin_(_at_)_mediax_(_dot_)_com

I've been doing websearches and whatnot, and haven't been able to come up with a solution to my ipfilter problems, so here I am on the tech list.

I'm a big openbsd fan, so when we had to give back our borrowed PIX and my boss informed me that we wouldn't be buying another one, I installed OpenBSD on a P2 system and slapped three 3com NICs in it. I converted the PIX rules to ipfilter rules, and voila, there was a firewall.

Unfortunately, several times a day the "firewall" will stop allowing new connections. Existing connections continue to work. However, the system does not allow any new traffic to pass in either direction. I am doing stateful packet filtering.

I preemptively added option NMBCLUSTERS=8192 to my kernel config, and stripped out unused devices. This all happened before these changes, however. I am running 2.8-current.

I'm currently using three (known good) 3Com 100mbps NICs. I get a small handful of errors at boot (sample errors here:)

Jan 20 23:51:26 agrippa /bsd: xl0: transmission error: 90 Jan 20 23:51:27 agrippa /bsd: xl0: tx underrun, increasing tx start threshold to 120 Jan 20 23:51:27 agrippa /bsd: xl1: transmission error: 90 Jan 20 23:51:27 agrippa /bsd: xl1: tx underrun, increasing tx start threshold to 120 Jan 20 23:51:27 agrippa /bsd: xl0: transmission error: 90 Jan 20 23:51:27 agrippa /bsd: xl0: tx underrun, increasing tx start threshold to 120 Jan 20 23:51:27 agrippa /bsd: xl1: transmission error: 90 Jan 20 23:51:27 agrippa /bsd: xl1: tx underrun, increasing tx start threshold to 120

Though it doesn't sound like that's related to my current issue.

I'll include my rules if necessary, but it seems like this isn't a rules problem; It works for quite a while (this last time it lasted all weekend, from about 3pm on Friday until roughly 11am today) and then it stops.

It is worth noting that if I ipf -s to an empty ruleset, packets WILL flow, which enhances my belief that the problem is in the ipfilter region.

Prev by Date: 82802 / 82850 / intel hardware random number generator
Next by Date: 80GB IDE HD - trouble
Previous by thread: 82802 / 82850 / intel hardware random number generator
Next by thread: 80GB IDE HD - trouble
Index(es):
- Date
- Thread

Visit your host, monkey.org