On Wed, 19 Jan 2005 freebsd_at_newmillennium.net.au wrote: > I have recently (the last week or so, but possible longer as I had > updated the system prior to going on a 3 week holiday) been having some > problems with IPFW under -CURRENT. > > I am running: > bash-2.05b$ uname -a > FreeBSD picard.newmillennium.net.au 6.0-CURRENT FreeBSD 6.0-CURRENT #38: > Sun Jan 16 18:27:30 EST 2005 > root_at_picard.newmillennium.net.au:/usr/obj/usr/src/sys/PICARD i386 > > What happens is that I occasionally (every 5 minutes or so) get the > following: Jan 19 16:54:41 picard kernel: ipfw: ouch!, skip past end of > rules, denying packet This error message seems to occur when the end of the rule chain is reached without hitting a packet. The one scenario I can think of where this might happen is if the rule set somehow skips past the end of the chain. Could you confirm two things: - That your ipfw rule set contains no skiptos that push past the last rule? - That your user space ipfw(8) binary is in sync with your kernel? If there's no obvious source of a potential issue of that sort, it may be we're looking at an ipfw bug. The error message should be cleaned up/clarified even if you're seeing the results of a bug, since it's a bit unclear on what actually happened. Robert N M Watson > > And then a (random) TCP connection is dropped. What is interesting is > that every possible path through the firewall matches a rule. I can > provide a copy of the firewall rules on request. > > My firewall uses the following features, in addition to the standard > allow/deny rules: > > Dummynet > Stateful rules (check-state, keep-state) > Skipto's > Forwarding (fwd) > > Some more stuff from the system, in case it helps: > bash-2.05b$ sysctl -a | grep ip\.fw > net.inet.ip.fw.enable: 1 > net.inet.ip.fw.autoinc_step: 100 > net.inet.ip.fw.one_pass: 0 > net.inet.ip.fw.debug: 1 > net.inet.ip.fw.verbose: 1 > net.inet.ip.fw.verbose_limit: 0 > net.inet.ip.fw.dyn_buckets: 256 > net.inet.ip.fw.curr_dyn_buckets: 256 > net.inet.ip.fw.dyn_count: 343 > net.inet.ip.fw.dyn_max: 4096 > net.inet.ip.fw.static_count: 184 > net.inet.ip.fw.dyn_ack_lifetime: 1800 > net.inet.ip.fw.dyn_syn_lifetime: 20 > net.inet.ip.fw.dyn_fin_lifetime: 1 > net.inet.ip.fw.dyn_rst_lifetime: 1 > net.inet.ip.fw.dyn_udp_lifetime: 10 > net.inet.ip.fw.dyn_short_lifetime: 5 > net.inet.ip.fw.dyn_keepalive: 1 > > My kernel options regarding the firewall are: > options IPFIREWALL > options IPDIVERT > options IPFIREWALL_FORWARD > options DUMMYNET > options HZ=1000 > > -- > Alastair D'Silva mob: 0413 485 733 > Networking Consultant fax: 0413 181 661 > New Millennium Networking web: http://www.newmillennium.net.au > > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org" >Received on Wed Jan 19 2005 - 09:34:12 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:26 UTC