I seem to have been having a rather strange networking issue in FreeBSD
5.3-Stable (it started happening immediately after 5.2.1 and has persisted
since.. I keep ?hoping? that next time I cvsup it will be fixed, but no).
I downgraded back to 5.2.1-p13 and it is perfectly fine once again.
*** Some background information:
My FreeBSD box is my home NAT router, server, firewall, etc. It does DHCP,
MX for some of my domains, secondary DNS (I got primary elsewhere), apache
for some webhosting, blah blah blah. Nothing really special. It is a Dual
PIII-500, 512mb ram, and a couple ATA hdd?s. Had 3 realtek network
interfaces, but down to 2 now.
*** The problem:
Networking simply "stops" or "locks up". Why, I don't
know. I believe
initially it happened for all 3 network cards... I thought tcp/ip processing
or something in the kernel got locked. It happens every 30 minutes to an
hour, and lasts about 60 seconds to 120 seconds. Unfortunately, 60 seconds
to 120 seconds is long enough to kill messenger (my gf does not like),
online gaming, etc etc.
Lately, I had taken one of the realtek cards out (it was for a several km
long wireless link) and moved the server to my gf's place (where I am now
100% of the time). So now that I have the server locally and rely on it for
my internet connection, this has become a real PAIN.
I've noticed that I can remain ssh'd into diablo, do whatever I want
while
this "lock" issue occurs. So the lan interface rl0 is fine. The
internet
interface, rl1 (which goes to the cable modem) locks up. (btw, its not the
cable modem as I am using my gf's now, and it did this at my place on my
cable modem too, which is a different brand. Nortel at my place, motorola at
my gfs).
*** Attempts:
I've attempted switching out network cards, and places 3 other realtek cards
in. Different brands, all with different revisions (D instead of B, etc,
etc).
No matter what I try, nothing fixes it. The machine seems perfectly
repsonsive, and I am still ssh'd in and can do whatever I want on it... But
the network card going to the cable modem has stopped responding?!
This never happened during 5.0-Current all throughout 5.2.1-STABLE, but
anywhere beyond 5.2.1 it craps itself.
*** Dmesg output:
Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.2.1-RELEASE-p13 #2: Thu Feb 10 18:39:33 CST 2005
diskiller@diablo.diskiller.net:/junk/obj/junk/src/sys/DIABLO
Preloaded elf kernel "/boot/kernel/kernel" at 0xc076c000.
MPTable: <OEM00000 PROD00000000>
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Pentium III/Pentium III Xeon/Celeron (504.72-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x673 Stepping = 3
Features=0x387fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,
CMOV,PAT,PSE36,PN,MMX,FXSR,SSE>
real memory = 536870912 (512 MB)
avail memory = 516034560 (492 MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1
ioapic0: Assuming intbase of 0
ioapic0 <Version 1.1> irqs 0-23 on motherboard
Pentium Pro MTRR support enabled
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcibios: BIOS version 2.10
Using $PIR table, 7 entries at 0xc00fdcf0
pcib0: <Intel 82443BX (440 BX) host to PCI bridge> at pcibus 0 on
motherboard
pci0: <PCI bus> on pcib0
pci_cfgintr: 0:10 INTA BIOS irq 10
pci_cfgintr: 0:12 INTA BIOS irq 11
agp0: <Intel 82443BX (440 BX) host to PCI bridge> mem
0xd0000000-0xd3ffffff
at device 0.0 on pci0
pcib1: <PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
isab0: <PCI-ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel PIIX4 UDMA33 controller> port 0xf000-0xf00f at device 7.1
on
pci0
ata0: at 0x1f0 irq 14 on atapci0
ata0: [MPSAFE]
ata1: at 0x170 irq 15 on atapci0
ata1: [MPSAFE]
uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xe000-0xe01f at
device 7.2 on pci0
pci_cfgintr: 0:7 INTD routed to irq 11
usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
piix0: <PIIX Timecounter> port 0x5000-0x500f at device 7.3 on pci0
Timecounter "PIIX" frequency 3579545 Hz quality 0
pci0: <display, VGA> at device 8.0 (no driver attached)
rl0: <RealTek 8139 10/100BaseTX> port 0xe400-0xe4ff mem
0xd7000000-0xd70000ff irq 10 at device 10.0 on pci0
rl0: Ethernet address: 00:00:21:f2:a5:47
miibus0: <MII bus> on rl0
rlphy0: <RealTek internal media interface> on miibus0
rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
rl1: <RealTek 8139 10/100BaseTX> port 0xe800-0xe8ff mem
0xd7001000-0xd70010ff irq 11 at device 12.0 on pci0
rl1: Ethernet address: 00:40:f4:90:1c:4b
miibus1: <MII bus> on rl1
rlphy1: <RealTek internal media interface> on miibus1
rlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
orm0: <Option ROMs> at iomem 0xc8000-0xcbfff,0xc0000-0xc7fff on isa0
pmtimer0 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
fdc0: ready for input in output
fdc0: cmd 3 failed at out byte 1 of 3
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio0: configured irq 4 not in bitmap of probed irqs 0
sio0: port may not be enabled
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 8250 or not responding
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
unknown: <PNP0303> can't assign resources (port)
unknown: <PNP0c02> can't assign resources (memory)
unknown: <PNP0a03> can't assign resources (port)
Timecounters tick every 10.000 msec
ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to
deny, logging unlimited
GEOM: create disk ad0 dp=0xc4445260
ad0: 19569MB <WDC WD205AA-00BAA0> [39761/16/63] at ata0-master UDMA33
GEOM: create disk ad2 dp=0xc4445c60
ad2: 76319MB <ST380021A> [155061/16/63] at ata1-master UDMA33
acd0: CDRW <SONY CD-RW CRX140E> at ata1-slave PIO4
SMP: AP CPU #1 Launched!
Mounting root from ufs:/dev/ad0s1a
pid 524 (my_print_defaults), uid 88: exited on signal 11
pid 529 (my_print_defaults), uid 88: exited on signal 11
pid 544 (mysqld), uid 88: exited on signal 11
pid 700 (my_print_defaults), uid 1000: exited on signal 11 (core dumped)
diablo:~>
Dmesg output didn?t look particularly different in 5.3-stable. The coredumps
are due to the downgrade and being linked against newer libs from 5.3.
*** Kernel configuration:
diablo:/usr/src/sys/i386/conf> cat DIABLO
#
# GENERIC -- Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
#
http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-confi
g.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.413.2.8 2004/10/24 17:42:08 scottl
Exp $
machine i386
#cpu I486_CPU
cpu I586_CPU
cpu I686_CPU
ident DIABLO
# To statically compile in device wiring instead of /boot/device.hints
#hints "GENERIC.hints" # Default places to look for
devices.
options SCHED_4BSD # 4BSD scheduler
options INET # InterNETworking
#options INET6 # IPv6 communications protocols
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big
directories
#options MD_ROOT # MD is a potential root device
options NFSCLIENT # Network Filesystem Client
options NFSSERVER # Network Filesystem Server
#options NFS_ROOT # NFS usable as /, requires
NFSCLIENT
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires
PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP
THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
#options ADAPTIVE_GIANT # Giant mutex is adaptive.
# Firewall
options IPFIREWALL # Firewall (ipfw)
options IPFIREWALL_VERBOSE # Verbose errors
#options IPFIREWALL_FORWARD # Transparent forwarding
options IPDIVERT # For NATD
#options DUMMYNET # Traffic Shaping!
# IPsec
#options IPSEC
#options IPSEC_ESP
# To make an SMP kernel, the next two are needed
options SMP # Symmetric MultiProcessor Kernel
device apic # I/O APIC
# Bus support. Do not remove isa, even if you have no isa slots
device isa
device eisa
device pci
# Floppy drives
device fdc
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
#device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
#device atapifd # ATAPI floppy drives
#device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
# SCSI Controllers
#device ahb # EISA AHA1742 family
#device ahc # AHA2940 and onboard AIC7xxx devices
#device ahd # AHA39320/29320 and onboard AIC79xx devices
#device amd # AMD 53C974 (Tekram DC-390(T))
#device isp # Qlogic family
#device mpt # LSI-Logic MPT-Fusion
#device ncr # NCR/Symbios Logic
device sym # NCR/Symbios Logic (newer chipsets + those
of `ncr')
device trm # Tekram DC395U/UW/F DC315U adapters
#device adv # Advansys SCSI adapters
#device adw # Advansys wide SCSI adapters
#device aha # Adaptec 154x SCSI adapters
#device aic # Adaptec 15[012]x SCSI adapters,
AIC-6[23]60.
#device bt # Buslogic/Mylex MultiMaster SCSI adapters
#device ncv # NCR 53C500
#device nsp # Workbit Ninja SCSI-3
#device stg # TMC 18C30/18C50
# SCSI peripherals
device scbus # SCSI bus (required for SCSI)
#device ch # SCSI media changers
device da # Direct Access (disks)
#device sa # Sequential Access (tape etc)
#device cd # CD
#device pass # Passthrough device (direct SCSI access)
#device ses # SCSI Environmental Services (and SAF-TE)
# RAID controllers interfaced to the SCSI subsystem
#device amr # AMI MegaRAID
#device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device ciss # Compaq Smart RAID 5*
#device dpt # DPT Smartcache III, IV - See NOTES for
options
#device hptmv # Highpoint RocketRAID 182x
#device iir # Intel Integrated RAID
#device ips # IBM (Adaptec) ServeRAID
#device mly # Mylex AcceleRAID/eXtremeRAID
#device twa # 3ware 9000 series PATA/SATA RAID
# RAID controllers
#device aac # Adaptec FSA RAID
#device aacp # SCSI passthrough for aac (requires CAM)
#device ida # Compaq Smart RAID
#device mlx # Mylex DAC960 family
#device pst # Promise Supertrak SX6000
#device twe # 3ware ATA RAID
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
# Enable this for the pcvt (VT220 compatible) console driver
#device vt
#options XSERVER # support for X server on a vt console
#options FAT_CURSOR # start with block cursor
device agp # support several AGP chipsets
# Floating point support - do not disable.
device npx
# Power management support (see NOTES for more options)
#device apm
# Add suspend/resume support for the i8254.
device pmtimer
# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device cbb # cardbus (yenta) bridge
#device pccard # PC Card (16-bit) bus
#device cardbus # CardBus (32-bit) bus
# Serial (COM) ports
device sio # 8250, 16[45]50 based serial ports
# Parallel port
#device ppc
#device ppbus # Parallel port bus (required)
#device lpt # Printer
#device plip # TCP/IP over parallel
#device ppi # Parallel port interface device
#device vpo # Requires scbus and da
# If you've got a "dumb" serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to the sio and/or ppc drivers):
#device puc
# PCI Ethernet NICs.
#device de # DEC/Intel DC21x4x (``Tulip'')
#device em # Intel PRO/1000 adapter Gigabit Ethernet
Card
#device ixgb # Intel PRO/10GbE Ethernet Card
#device txp # 3Com 3cR990 (``Typhoon'')
#device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these
NICs!
device miibus # MII bus support
#device bfe # Broadcom BCM440x 10/100 Ethernet
#device bge # Broadcom BCM570xx Gigabit Ethernet
#device dc # DEC/Intel 21143 and various workalikes
#device fxp # Intel EtherExpress PRO/100B (82557, 82558)
#device lge # Level 1 LXT1001 gigabit ethernet
#device nge # NatSemi DP83820 gigabit ethernet
#device pcn # AMD Am79C97x PCI 10/100 (precedence over
'lnc')
#device re # RealTek 8139C+/8169/8169S/8110S
device rl # RealTek 8129/8139
#device sf # Adaptec AIC-6915 (``Starfire'')
#device sis # Silicon Integrated Systems SiS 900/SiS
7016
#device sk # SysKonnect SK-984x & SK-982x gigabit
Ethernet
#device ste # Sundance ST201 (D-Link DFE-550TX)
#device ti # Alteon Networks Tigon I/II gigabit
Ethernet
#device tl # Texas Instruments ThunderLAN
#device tx # SMC EtherPower II (83c170 ``EPIC'')
#device vge # VIA VT612x gigabit ethernet
#device vr # VIA Rhine, Rhine II
#device wb # Winbond W89C840F
#device xl # 3Com 3c90x (``Boomerang'',
``Cyclone'')
# ISA Ethernet NICs. pccard NICs included.
#device cs # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
#device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device ex # Intel EtherExpress Pro/10 and Pro/10+
#device ep # Etherlink III based cards
#device fe # Fujitsu MB8696x based cards
#device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
#device lnc # NE2100, NE32-VL Lance Ethernet cards
#device sn # SMC's 9000 series of Ethernet chips
#device xe # Xircom pccard Ethernet
# ISA devices that use the old ISA shims
#device le
# Wireless NIC cards
#device wlan # 802.11 support
#device an # Aironet 4500/4800 802.11 wireless NICs.
#device awi # BayStack 660 and others
#device wi # WaveLAN/Intersil/Symbol 802.11 wireless
NICs.
#device wl # Older non 802.11 Wavelan wireless NIC.
# Pseudo devices.
device loop # Network loopback
#device mem # Memory and kernel memory devices
#device io # I/O device
device random # Entropy device
device ether # Ethernet support
#device sl # Kernel SLIP
#device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
#device faith # IPv6-to-IPv4 relaying (translation)
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
device bpf # Berkeley packet filter
# USB support
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device usb # USB Bus (required)
#device udbp # USB Double Bulk Pipe devices
device ugen # Generic
device uhid # "Human Interface Devices"
device ukbd # Keyboard
device ulpt # Printer
device umass # Disks/Mass storage - Requires scbus and da
device ums # Mouse
#device urio # Diamond Rio 500 MP3 player
#device uscanner # Scanners
# USB Ethernet, requires mii
#device aue # ADMtek USB Ethernet
#device axe # ASIX Electronics USB Ethernet
#device cue # CATC USB Ethernet
#device kue # Kawasaki LSI USB Ethernet
#device rue # RealTek RTL8150 USB Ethernet
# FireWire support
#device firewire # FireWire bus code
#device sbp # SCSI over FireWire (Requires scbus and da)
#device fwe # Ethernet over FireWire (non-standard!)
diablo:/usr/src/sys/i386/conf>
I simply commented out the lines that failed in 5.2 since they were for 5.3
(ie, device io, device mem, and options ADAPTIVE_GIANT)
*** Interfaces:
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
ether 00:00:21:f2:a5:47
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 144.136.223.204 netmask 0xfffffc00 broadcast 255.255.255.255
ether 00:40:f4:90:1c:4b
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
*** Firewall:
diablo:/home/diskiller# more /etc/firewall.diablo
########################################################################
### FIREWALL ###########################################################
########################################################################
# external if = rl1
# internal if = rl0
# internal net = 10.0.0.0/24
# EVIL SHIT
add deny log tcp from any to any 137,138,139 via rl1
add deny log udp from any to any 137,138,139 via rl1
# Allow your loop back to work
add allow all from any to any via lo0
# DHCP
add allow udp from any to any 67,68
# Prevent spoofing of your loopback
add deny log all from any to 127.0.0.0/8
add deny log all from 127.0.0.0/8 to any
# Stop spoofing of your internal network range
add deny log ip from 10.0.0.0/24 to any in via rl1
# Stop spoofing from inside your private ip range
add deny log ip from not 10.0.0.0/24 to any in via rl0
# Something from the bigpond network, and NEEDS to be here before below
# rules block it. Its a heartbeat, among other things? *confusing*
add allow ip from 10.64.28.1 to any in via rl1
# Stop private networks (RFC1918) from entering the outside interface.
add deny log ip from 192.168.0.0/16 to any in via rl1
add deny log ip from 172.16.0.0/12 to any in via rl1
add deny log ip from 10.0.0.0/8 to any in via rl1
add deny log ip from any to 192.168.0.0/16 in via rl1
add deny log ip from any to 172.16.0.0/12 in via rl1
add deny log ip from any to 10.0.0.0/8 in via rl1
# NATD
add divert natd all from any to any via rl1
# UDP
add allow udp from any to any
# Allow IPsec connections flow freely
#add allow esp from any to any
# Allow VPN data to flow free via rl2 (where my VPN to matt is over
wireless)
#add allow ipencap from any to any via rl2
# Allow existing tcp connections open from inside my lan to keep working
add allow tcp from any to any established
# Allow internal lan machines to open connections to the gw/Internet
add allow tcp from 10.0.0.0/24 to any setup # my lan
#add allow tcp from 10.0.2.0/24 to any setup # wireless lan (+ homer)
#add allow tcp from 10.0.4.0/24 to any setup # matt's lan
# Allow gw to open connections to the Internet (tcp/udp/etc)
add allow ip from 144.136.0.0/16 to any setup out via rl1
# Allow some ICMP's
add allow icmp from any to any icmptypes 3,4,11,12,8,0
# Diablo services - Incoming connections allowed
add allow tcp from any to any 21 in via rl1 setup
add allow tcp from any to any 22 in via rl1 setup
add allow tcp from any to any 25 in via rl1 setup
add allow tcp from any to any 53 in via rl1 setup
add allow tcp from any to any 80 in via rl1 setup
#add allow tcp from any to any 110 in via rl1 setup
#add allow tcp from any to any 143 in via rl1 setup
add allow tcp from any to any 993 in via rl1 setup
add allow tcp from any to any 995 in via rl1 setup
#add allow tcp from any to any 3389 in via rl1 setup # RD
#add allow tcp from any to any 6667 in via rl1 setup # IRC server
#add allow tcp from 144.136.0.0/16 to any 5901 in via rl1 setup # VNC on
diablo
#add allow tcp from 203.194.94.0/24 to any 5901 in via rl1 setup # VNC on
diablo
#add allow tcp from any to any 6881 # Bit Torrent
#add allow tcp from any to any 6882 # Bit Torrent
#add allow tcp from any to any 6883 # Bit Torrent
#add allow tcp from any to any 6884 # Bit Torrent
#add allow tcp from any to any 6112 # SC/BW
# UT2003/UT2004
add allow tcp from any to any 7777 in via rl1 setup
add allow tcp from any to any 7778 in via rl1 setup
add allow tcp from any to any 7787 in via rl1 setup
add allow tcp from any to any 7788 in via rl1 setup
# Politely and quickly rejects AUTH requests (IRC!! #*()@$@#$)
add reset tcp from any to any 113 in via rl1
# Make the default 'deny' rule log too.
add 65500 deny log ip from any to any
diablo:/home/diskiller#
I really hope someone can figure this one out...
Thanks,
Martin.
--
diskiller@diskiller.net | www.diskiller.net | irc.diskiller.net
(No trees were destroyed in the sending of this message. However, a
large number of electrons were significantly inconvenienced.)
Am Donnerstag, 10. Februar 2005 11:00 schrieb Martin Minkus:> I seem to have been having a rather strange networking issue in FreeBSD > 5.3-Stable (it started happening immediately after 5.2.1 and has persisted > since.. I keep ?hoping? that next time I cvsup it will be fixed, but no). > > I downgraded back to 5.2.1-p13 and it is perfectly fine once again. > > > *** Some background information: > > My FreeBSD box is my home NAT router, server, firewall, etc. It does DHCP, > MX for some of my domains, secondary DNS (I got primary elsewhere), apache > for some webhosting, blah blah blah. Nothing really special. It is a Dual > PIII-500, 512mb ram, and a couple ATA hdd?s. Had 3 realtek network > interfaces, but down to 2 now. > > *** The problem: > > Networking simply "stops" or "locks up". Why, I don't know. I believe > initially it happened for all 3 network cards... I thought tcp/ip > processing or something in the kernel got locked. It happens every 30 > minutes to an hour, and lasts about 60 seconds to 120 seconds. > Unfortunately, 60 seconds to 120 seconds is long enough to kill messenger > (my gf does not like), online gaming, etc etc.Just a wils guess: Try setteing 'debug.mpsafet=0' in /boot/loader.conf I had similar problems with pf and RELENG_5 No soultion though :( -Harry> > Lately, I had taken one of the realtek cards out (it was for a several km > long wireless link) and moved the server to my gf's place (where I am now > 100% of the time). So now that I have the server locally and rely on it for > my internet connection, this has become a real PAIN. > > I've noticed that I can remain ssh'd into diablo, do whatever I want while > this "lock" issue occurs. So the lan interface rl0 is fine. The internet > interface, rl1 (which goes to the cable modem) locks up. (btw, its not the > cable modem as I am using my gf's now, and it did this at my place on my > cable modem too, which is a different brand. Nortel at my place, motorola > at my gfs). > > *** Attempts: > > I've attempted switching out network cards, and places 3 other realtek > cards in. Different brands, all with different revisions (D instead of B, > etc, etc). > > No matter what I try, nothing fixes it. The machine seems perfectly > repsonsive, and I am still ssh'd in and can do whatever I want on it... But > the network card going to the cable modem has stopped responding?! > > This never happened during 5.0-Current all throughout 5.2.1-STABLE, but > anywhere beyond 5.2.1 it craps itself. > > > *** Dmesg output: > > Copyright (c) 1992-2004 The FreeBSD Project. > Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 > The Regents of the University of California. All rights reserved. > FreeBSD 5.2.1-RELEASE-p13 #2: Thu Feb 10 18:39:33 CST 2005 > diskiller@diablo.diskiller.net:/junk/obj/junk/src/sys/DIABLO > Preloaded elf kernel "/boot/kernel/kernel" at 0xc076c000. > MPTable: <OEM00000 PROD00000000> > Timecounter "i8254" frequency 1193182 Hz quality 0 > CPU: Pentium III/Pentium III Xeon/Celeron (504.72-MHz 686-class CPU) > Origin = "GenuineIntel" Id = 0x673 Stepping = 3 > > Features=0x387fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA >, CMOV,PAT,PSE36,PN,MMX,FXSR,SSE> > real memory = 536870912 (512 MB) > avail memory = 516034560 (492 MB) > FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs > cpu0 (BSP): APIC ID: 0 > cpu1 (AP): APIC ID: 1 > ioapic0: Assuming intbase of 0 > ioapic0 <Version 1.1> irqs 0-23 on motherboard > Pentium Pro MTRR support enabled > npx0: [FAST] > npx0: <math processor> on motherboard > npx0: INT 16 interface > pcibios: BIOS version 2.10 > Using $PIR table, 7 entries at 0xc00fdcf0 > pcib0: <Intel 82443BX (440 BX) host to PCI bridge> at pcibus 0 on > motherboard > pci0: <PCI bus> on pcib0 > pci_cfgintr: 0:10 INTA BIOS irq 10 > pci_cfgintr: 0:12 INTA BIOS irq 11 > agp0: <Intel 82443BX (440 BX) host to PCI bridge> mem 0xd0000000-0xd3ffffff > at device 0.0 on pci0 > pcib1: <PCI-PCI bridge> at device 1.0 on pci0 > pci1: <PCI bus> on pcib1 > isab0: <PCI-ISA bridge> at device 7.0 on pci0 > isa0: <ISA bus> on isab0 > atapci0: <Intel PIIX4 UDMA33 controller> port 0xf000-0xf00f at device 7.1 > on pci0 > ata0: at 0x1f0 irq 14 on atapci0 > ata0: [MPSAFE] > ata1: at 0x170 irq 15 on atapci0 > ata1: [MPSAFE] > uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xe000-0xe01f at > device 7.2 on pci0 > pci_cfgintr: 0:7 INTD routed to irq 11 > usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0 > usb0: USB revision 1.0 > uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 > uhub0: 2 ports with 2 removable, self powered > piix0: <PIIX Timecounter> port 0x5000-0x500f at device 7.3 on pci0 > Timecounter "PIIX" frequency 3579545 Hz quality 0 > pci0: <display, VGA> at device 8.0 (no driver attached) > rl0: <RealTek 8139 10/100BaseTX> port 0xe400-0xe4ff mem > 0xd7000000-0xd70000ff irq 10 at device 10.0 on pci0 > rl0: Ethernet address: 00:00:21:f2:a5:47 > miibus0: <MII bus> on rl0 > rlphy0: <RealTek internal media interface> on miibus0 > rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto > rl1: <RealTek 8139 10/100BaseTX> port 0xe800-0xe8ff mem > 0xd7001000-0xd70010ff irq 11 at device 12.0 on pci0 > rl1: Ethernet address: 00:40:f4:90:1c:4b > miibus1: <MII bus> on rl1 > rlphy1: <RealTek internal media interface> on miibus1 > rlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto > orm0: <Option ROMs> at iomem 0xc8000-0xcbfff,0xc0000-0xc7fff on isa0 > pmtimer0 on isa0 > atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0 > atkbd0: <AT Keyboard> irq 1 on atkbdc0 > kbd0 at atkbd0 > fdc0: ready for input in output > fdc0: cmd 3 failed at out byte 1 of 3 > sc0: <System console> at flags 0x100 on isa0 > sc0: VGA <16 virtual consoles, flags=0x300> > sio0: configured irq 4 not in bitmap of probed irqs 0 > sio0: port may not be enabled > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 > sio0: type 8250 or not responding > sio1: configured irq 3 not in bitmap of probed irqs 0 > sio1: port may not be enabled > vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 > unknown: <PNP0303> can't assign resources (port) > unknown: <PNP0c02> can't assign resources (memory) > unknown: <PNP0a03> can't assign resources (port) > Timecounters tick every 10.000 msec > ipfw2 initialized, divert enabled, rule-based forwarding enabled, default > to deny, logging unlimited > GEOM: create disk ad0 dp=0xc4445260 > ad0: 19569MB <WDC WD205AA-00BAA0> [39761/16/63] at ata0-master UDMA33 > GEOM: create disk ad2 dp=0xc4445c60 > ad2: 76319MB <ST380021A> [155061/16/63] at ata1-master UDMA33 > acd0: CDRW <SONY CD-RW CRX140E> at ata1-slave PIO4 > SMP: AP CPU #1 Launched! > Mounting root from ufs:/dev/ad0s1a > pid 524 (my_print_defaults), uid 88: exited on signal 11 > pid 529 (my_print_defaults), uid 88: exited on signal 11 > pid 544 (mysqld), uid 88: exited on signal 11 > pid 700 (my_print_defaults), uid 1000: exited on signal 11 (core dumped) > diablo:~> > > Dmesg output didn?t look particularly different in 5.3-stable. The > coredumps are due to the downgrade and being linked against newer libs from > 5.3. > > > *** Kernel configuration: > > diablo:/usr/src/sys/i386/conf> cat DIABLO > # > # GENERIC -- Generic kernel configuration file for FreeBSD/i386 > # > # For more information on this file, please read the handbook section on > # Kernel Configuration Files: > # > # > http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-conf >i g.html > # > # The handbook is also available locally in /usr/share/doc/handbook > # if you've installed the doc distribution, otherwise always see the > # FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the > # latest information. > # > # An exhaustive list of options and more detailed explanations of the > # device lines is also present in the ../../conf/NOTES and NOTES files. > # If you are in doubt as to the purpose or necessity of a line, check first > # in NOTES. > # > # $FreeBSD: src/sys/i386/conf/GENERIC,v 1.413.2.8 2004/10/24 17:42:08 > scottl Exp $ > > machine i386 > #cpu I486_CPU > cpu I586_CPU > cpu I686_CPU > ident DIABLO > > # To statically compile in device wiring instead of /boot/device.hints > #hints "GENERIC.hints" # Default places to look for > devices. > > options SCHED_4BSD # 4BSD scheduler > options INET # InterNETworking > #options INET6 # IPv6 communications protocols > options FFS # Berkeley Fast Filesystem > options SOFTUPDATES # Enable FFS soft updates support > options UFS_ACL # Support for access control lists > options UFS_DIRHASH # Improve performance on big > directories > #options MD_ROOT # MD is a potential root device > options NFSCLIENT # Network Filesystem Client > options NFSSERVER # Network Filesystem Server > #options NFS_ROOT # NFS usable as /, requires > NFSCLIENT > options MSDOSFS # MSDOS Filesystem > options CD9660 # ISO 9660 Filesystem > options PROCFS # Process filesystem (requires > PSEUDOFS) > options PSEUDOFS # Pseudo-filesystem framework > options GEOM_GPT # GUID Partition Tables. > options COMPAT_43 # Compatible with BSD 4.3 [KEEP > THIS!] > options COMPAT_FREEBSD4 # Compatible with FreeBSD4 > options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI > options KTRACE # ktrace(1) support > options SYSVSHM # SYSV-style shared memory > options SYSVMSG # SYSV-style message queues > options SYSVSEM # SYSV-style semaphores > options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time > extensions > options KBD_INSTALL_CDEV # install a CDEV entry in /dev > options AHC_REG_PRETTY_PRINT # Print register bitfields in debug > # output. Adds ~128k to driver. > options AHD_REG_PRETTY_PRINT # Print register bitfields in debug > # output. Adds ~215k to driver. > #options ADAPTIVE_GIANT # Giant mutex is adaptive. > > > # Firewall > options IPFIREWALL # Firewall (ipfw) > options IPFIREWALL_VERBOSE # Verbose errors > #options IPFIREWALL_FORWARD # Transparent forwarding > options IPDIVERT # For NATD > #options DUMMYNET # Traffic Shaping! > > # IPsec > #options IPSEC > #options IPSEC_ESP > > # To make an SMP kernel, the next two are needed > options SMP # Symmetric MultiProcessor Kernel > device apic # I/O APIC > > # Bus support. Do not remove isa, even if you have no isa slots > device isa > device eisa > device pci > > # Floppy drives > device fdc > > # ATA and ATAPI devices > device ata > device atadisk # ATA disk drives > #device ataraid # ATA RAID drives > device atapicd # ATAPI CDROM drives > #device atapifd # ATAPI floppy drives > #device atapist # ATAPI tape drives > options ATA_STATIC_ID # Static device numbering > > # SCSI Controllers > #device ahb # EISA AHA1742 family > #device ahc # AHA2940 and onboard AIC7xxx devices > #device ahd # AHA39320/29320 and onboard AIC79xx > devices #device amd # AMD 53C974 (Tekram DC-390(T)) > #device isp # Qlogic family > #device mpt # LSI-Logic MPT-Fusion > #device ncr # NCR/Symbios Logic > device sym # NCR/Symbios Logic (newer chipsets + those > of `ncr') > device trm # Tekram DC395U/UW/F DC315U adapters > > #device adv # Advansys SCSI adapters > #device adw # Advansys wide SCSI adapters > #device aha # Adaptec 154x SCSI adapters > #device aic # Adaptec 15[012]x SCSI adapters, > AIC-6[23]60. > #device bt # Buslogic/Mylex MultiMaster SCSI adapters > > #device ncv # NCR 53C500 > #device nsp # Workbit Ninja SCSI-3 > #device stg # TMC 18C30/18C50 > > # SCSI peripherals > device scbus # SCSI bus (required for SCSI) > #device ch # SCSI media changers > device da # Direct Access (disks) > #device sa # Sequential Access (tape etc) > #device cd # CD > #device pass # Passthrough device (direct SCSI access) > #device ses # SCSI Environmental Services (and SAF-TE) > > # RAID controllers interfaced to the SCSI subsystem > #device amr # AMI MegaRAID > #device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID > #device ciss # Compaq Smart RAID 5* > #device dpt # DPT Smartcache III, IV - See NOTES for > options > #device hptmv # Highpoint RocketRAID 182x > #device iir # Intel Integrated RAID > #device ips # IBM (Adaptec) ServeRAID > #device mly # Mylex AcceleRAID/eXtremeRAID > #device twa # 3ware 9000 series PATA/SATA RAID > > # RAID controllers > #device aac # Adaptec FSA RAID > #device aacp # SCSI passthrough for aac (requires CAM) > #device ida # Compaq Smart RAID > #device mlx # Mylex DAC960 family > #device pst # Promise Supertrak SX6000 > #device twe # 3ware ATA RAID > > # atkbdc0 controls both the keyboard and the PS/2 mouse > device atkbdc # AT keyboard controller > device atkbd # AT keyboard > device psm # PS/2 mouse > > device vga # VGA video card driver > > device splash # Splash screen and screen saver support > > # syscons is the default console driver, resembling an SCO console > device sc > > # Enable this for the pcvt (VT220 compatible) console driver > #device vt > #options XSERVER # support for X server on a vt console > #options FAT_CURSOR # start with block cursor > > device agp # support several AGP chipsets > > # Floating point support - do not disable. > device npx > > # Power management support (see NOTES for more options) > #device apm > # Add suspend/resume support for the i8254. > device pmtimer > > # PCCARD (PCMCIA) support > # PCMCIA and cardbus bridge support > #device cbb # cardbus (yenta) bridge > #device pccard # PC Card (16-bit) bus > #device cardbus # CardBus (32-bit) bus > > # Serial (COM) ports > device sio # 8250, 16[45]50 based serial ports > > # Parallel port > #device ppc > #device ppbus # Parallel port bus (required) > #device lpt # Printer > #device plip # TCP/IP over parallel > #device ppi # Parallel port interface device > #device vpo # Requires scbus and da > > # If you've got a "dumb" serial or parallel PCI card that is > # supported by the puc(4) glue driver, uncomment the following > # line to enable it (connects to the sio and/or ppc drivers): > #device puc > > # PCI Ethernet NICs. > #device de # DEC/Intel DC21x4x (``Tulip'') > #device em # Intel PRO/1000 adapter Gigabit Ethernet > Card > #device ixgb # Intel PRO/10GbE Ethernet Card > #device txp # 3Com 3cR990 (``Typhoon'') > #device vx # 3Com 3c590, 3c595 (``Vortex'') > > # PCI Ethernet NICs that use the common MII bus controller code. > # NOTE: Be sure to keep the 'device miibus' line in order to use these > NICs! device miibus # MII bus support > #device bfe # Broadcom BCM440x 10/100 Ethernet > #device bge # Broadcom BCM570xx Gigabit Ethernet > #device dc # DEC/Intel 21143 and various workalikes > #device fxp # Intel EtherExpress PRO/100B (82557, > 82558) #device lge # Level 1 LXT1001 gigabit ethernet > #device nge # NatSemi DP83820 gigabit ethernet #device > pcn # AMD Am79C97x PCI 10/100 (precedence over 'lnc') > #device re # RealTek 8139C+/8169/8169S/8110S > device rl # RealTek 8129/8139 > #device sf # Adaptec AIC-6915 (``Starfire'') > #device sis # Silicon Integrated Systems SiS 900/SiS > 7016 > #device sk # SysKonnect SK-984x & SK-982x gigabit > Ethernet > #device ste # Sundance ST201 (D-Link DFE-550TX) > #device ti # Alteon Networks Tigon I/II gigabit > Ethernet > #device tl # Texas Instruments ThunderLAN > #device tx # SMC EtherPower II (83c170 ``EPIC'') > #device vge # VIA VT612x gigabit ethernet > #device vr # VIA Rhine, Rhine II > #device wb # Winbond W89C840F > #device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') > > # ISA Ethernet NICs. pccard NICs included. > #device cs # Crystal Semiconductor CS89x0 NIC > # 'device ed' requires 'device miibus' > #device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards > #device ex # Intel EtherExpress Pro/10 and Pro/10+ > #device ep # Etherlink III based cards > #device fe # Fujitsu MB8696x based cards > #device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc. > #device lnc # NE2100, NE32-VL Lance Ethernet cards > #device sn # SMC's 9000 series of Ethernet chips > #device xe # Xircom pccard Ethernet > > # ISA devices that use the old ISA shims > #device le > > # Wireless NIC cards > #device wlan # 802.11 support > #device an # Aironet 4500/4800 802.11 wireless NICs. > #device awi # BayStack 660 and others > #device wi # WaveLAN/Intersil/Symbol 802.11 wireless > NICs. > #device wl # Older non 802.11 Wavelan wireless NIC. > > # Pseudo devices. > device loop # Network loopback > #device mem # Memory and kernel memory devices > #device io # I/O device > device random # Entropy device > device ether # Ethernet support > #device sl # Kernel SLIP > #device ppp # Kernel PPP > device tun # Packet tunnel. > device pty # Pseudo-ttys (telnet etc) > device md # Memory "disks" > device gif # IPv6 and IPv4 tunneling > #device faith # IPv6-to-IPv4 relaying (translation) > > # The `bpf' device enables the Berkeley Packet Filter. > # Be aware of the administrative consequences of enabling this! > device bpf # Berkeley packet filter > > # USB support > device uhci # UHCI PCI->USB interface > device ohci # OHCI PCI->USB interface > device usb # USB Bus (required) > #device udbp # USB Double Bulk Pipe devices > device ugen # Generic > device uhid # "Human Interface Devices" > device ukbd # Keyboard > device ulpt # Printer > device umass # Disks/Mass storage - Requires scbus and > da device ums # Mouse > #device urio # Diamond Rio 500 MP3 player > #device uscanner # Scanners > # USB Ethernet, requires mii > #device aue # ADMtek USB Ethernet > #device axe # ASIX Electronics USB Ethernet > #device cue # CATC USB Ethernet > #device kue # Kawasaki LSI USB Ethernet > #device rue # RealTek RTL8150 USB Ethernet > > # FireWire support > #device firewire # FireWire bus code > #device sbp # SCSI over FireWire (Requires scbus and > da) #device fwe # Ethernet over FireWire > (non-standard!) diablo:/usr/src/sys/i386/conf> > > > I simply commented out the lines that failed in 5.2 since they were for 5.3 > (ie, device io, device mem, and options ADAPTIVE_GIANT) > > > *** Interfaces: > > rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > options=8<VLAN_MTU> > inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 > ether 00:00:21:f2:a5:47 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > options=8<VLAN_MTU> > inet 144.136.223.204 netmask 0xfffffc00 broadcast 255.255.255.255 > ether 00:40:f4:90:1c:4b > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > > > *** Firewall: > > diablo:/home/diskiller# more /etc/firewall.diablo > ######################################################################## > ### FIREWALL ########################################################### > ######################################################################## > > # external if = rl1 > # internal if = rl0 > # internal net = 10.0.0.0/24 > > # EVIL SHIT > add deny log tcp from any to any 137,138,139 via rl1 > add deny log udp from any to any 137,138,139 via rl1 > > # Allow your loop back to work > add allow all from any to any via lo0 > > # DHCP > add allow udp from any to any 67,68 > > # Prevent spoofing of your loopback > add deny log all from any to 127.0.0.0/8 > add deny log all from 127.0.0.0/8 to any > > # Stop spoofing of your internal network range > add deny log ip from 10.0.0.0/24 to any in via rl1 > > # Stop spoofing from inside your private ip range > add deny log ip from not 10.0.0.0/24 to any in via rl0 > > # Something from the bigpond network, and NEEDS to be here before below > # rules block it. Its a heartbeat, among other things? *confusing* > add allow ip from 10.64.28.1 to any in via rl1 > > # Stop private networks (RFC1918) from entering the outside interface. > add deny log ip from 192.168.0.0/16 to any in via rl1 > add deny log ip from 172.16.0.0/12 to any in via rl1 > add deny log ip from 10.0.0.0/8 to any in via rl1 > add deny log ip from any to 192.168.0.0/16 in via rl1 > add deny log ip from any to 172.16.0.0/12 in via rl1 > add deny log ip from any to 10.0.0.0/8 in via rl1 > > # NATD > add divert natd all from any to any via rl1 > > # UDP > add allow udp from any to any > > # Allow IPsec connections flow freely > #add allow esp from any to any > > # Allow VPN data to flow free via rl2 (where my VPN to matt is over > wireless) > #add allow ipencap from any to any via rl2 > > # Allow existing tcp connections open from inside my lan to keep working > add allow tcp from any to any established > > # Allow internal lan machines to open connections to the gw/Internet > add allow tcp from 10.0.0.0/24 to any setup # my lan > #add allow tcp from 10.0.2.0/24 to any setup # wireless lan (+ homer) > #add allow tcp from 10.0.4.0/24 to any setup # matt's lan > > # Allow gw to open connections to the Internet (tcp/udp/etc) > add allow ip from 144.136.0.0/16 to any setup out via rl1 > > # Allow some ICMP's > add allow icmp from any to any icmptypes 3,4,11,12,8,0 > > # Diablo services - Incoming connections allowed > add allow tcp from any to any 21 in via rl1 setup > add allow tcp from any to any 22 in via rl1 setup > add allow tcp from any to any 25 in via rl1 setup > add allow tcp from any to any 53 in via rl1 setup > add allow tcp from any to any 80 in via rl1 setup > #add allow tcp from any to any 110 in via rl1 setup > #add allow tcp from any to any 143 in via rl1 setup > add allow tcp from any to any 993 in via rl1 setup > add allow tcp from any to any 995 in via rl1 setup > #add allow tcp from any to any 3389 in via rl1 setup # RD > #add allow tcp from any to any 6667 in via rl1 setup # IRC server > #add allow tcp from 144.136.0.0/16 to any 5901 in via rl1 setup # VNC on > diablo > #add allow tcp from 203.194.94.0/24 to any 5901 in via rl1 setup # VNC on > diablo > #add allow tcp from any to any 6881 # Bit Torrent > #add allow tcp from any to any 6882 # Bit Torrent > #add allow tcp from any to any 6883 # Bit Torrent > #add allow tcp from any to any 6884 # Bit Torrent > #add allow tcp from any to any 6112 # SC/BW > > # UT2003/UT2004 > add allow tcp from any to any 7777 in via rl1 setup > add allow tcp from any to any 7778 in via rl1 setup > add allow tcp from any to any 7787 in via rl1 setup > add allow tcp from any to any 7788 in via rl1 setup > > # Politely and quickly rejects AUTH requests (IRC!! #*()@$@#$) > add reset tcp from any to any 113 in via rl1 > > # Make the default 'deny' rule log too. > add 65500 deny log ip from any to any > diablo:/home/diskiller# > > > > I really hope someone can figure this one out... > > Thanks, > Martin. > > -- > diskiller@diskiller.net | www.diskiller.net | irc.diskiller.net > > (No trees were destroyed in the sending of this message. However, a > large number of electrons were significantly inconvenienced.) > > > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050210/a2b6d15c/attachment-0001.bin
On 10/2/2005 22:23, "Emanuel Strobl" <emanuel.strobl@gmx.net> wrote:> Am Donnerstag, 10. Februar 2005 11:00 schrieb Martin Minkus:> > Just a wils guess: Try setteing 'debug.mpsafet=0' in /boot/loader.conf > I had similar problems with pf and RELENG_5 > > No soultion though :( > > -HarryHey there, Thanks for the reply. I tried that, and it had no affect. Actually my cousin thinks it did at one stage, but I have tried it many times (while changing other settings in the kernel, etc, etc) and it never did anything. Thanks, Martin.
> I seem to have been having a rather strange networking issue in > FreeBSD 5.3-Stable (it started happening immediately after 5.2.1 and > has persisted since.. I keep ?hoping? that next time I cvsup it will > be fixed, but no).> I downgraded back to 5.2.1-p13 and it is perfectly fine once again.> *** Some background information:> My FreeBSD box is my home NAT router, server, firewall, etc. It does > DHCP, MX for some of my domains, secondary DNS (I got primary > elsewhere), apache for some webhosting, blah blah blah. Nothing > really special. It is a Dual PIII-500, 512mb ram, and a couple ATA > hdd?s. Had 3 realtek network interfaces, but down to 2 now.Any chance of using non-RealTek cards? They are notorious for performing poorly at the best of times. My laptop has one of these internally, and every now and then it'll drop the connection. Usually with an error about an oversize frame being discarded. An "ifconfig down" "ifconfig up" will fix the issue. Enabling polling support (either via the kernel config option DEVICE_POLLING or the sysctl) helps some. The best solution, though, is to get better NICs. For run, read the man page for rl(4) and the comments in the rl source. Quite enlightening about the "issues" the RealTek chipsets have. :) -- Freddie Cash, CCNT CCLP Helpdesk / Network Support Tech. School District 73 (250) 377-HELP [377-4357] fcash-ml@sd73.bc.ca
Is there some coincidence that rl1 is at irq 11 and is the card that has
problems?
diablo:/usr/src# dmesg |grep 11
Timecounter "i8254" frequency 1193182 Hz quality 0
pci_cfgintr: 0:11 INTA BIOS irq 11
pci_cfgintr: 0:7 INTD routed to irq 11
rl1: <RealTek 8139 10/100BaseTX> port 0xe800-0xe8ff mem
0xd7001000-0xd70010ff irq 11 at device 11.0 on pci0
diablo:/usr/src#
------ Forwarded Message
From: Martin Minkus <diskiller@diskiller.net>
Date: Thu, 10 Feb 2005 20:30:35 +1030
To: <stable@freebsd.org>
Subject: 5.3-Stable network issue
I seem to have been having a rather strange networking issue in FreeBSD
5.3-Stable (it started happening immediately after 5.2.1 and has persisted
since.. I keep ?hoping? that next time I cvsup it will be fixed, but no).
I downgraded back to 5.2.1-p13 and it is perfectly fine once again.
*** Some background information:
My FreeBSD box is my home NAT router, server, firewall, etc. It does DHCP,
MX for some of my domains, secondary DNS (I got primary elsewhere), apache
for some webhosting, blah blah blah. Nothing really special. It is a Dual
PIII-500, 512mb ram, and a couple ATA hdd?s. Had 3 realtek network
interfaces, but down to 2 now.
*** The problem:
Networking simply "stops" or "locks up". Why, I don't
know. I believe
initially it happened for all 3 network cards... I thought tcp/ip processing
or something in the kernel got locked. It happens every 30 minutes to an
hour, and lasts about 60 seconds to 120 seconds. Unfortunately, 60 seconds
to 120 seconds is long enough to kill messenger (my gf does not like),
online gaming, etc etc.
Lately, I had taken one of the realtek cards out (it was for a several km
long wireless link) and moved the server to my gf's place (where I am now
100% of the time). So now that I have the server locally and rely on it for
my internet connection, this has become a real PAIN.
I've noticed that I can remain ssh'd into diablo, do whatever I want
while
this "lock" issue occurs. So the lan interface rl0 is fine. The
internet
interface, rl1 (which goes to the cable modem) locks up. (btw, its not the
cable modem as I am using my gf's now, and it did this at my place on my
cable modem too, which is a different brand. Nortel at my place, motorola at
my gfs).
*** Attempts:
I've attempted switching out network cards, and places 3 other realtek cards
in. Different brands, all with different revisions (D instead of B, etc,
etc).
No matter what I try, nothing fixes it. The machine seems perfectly
repsonsive, and I am still ssh'd in and can do whatever I want on it... But
the network card going to the cable modem has stopped responding?!
This never happened during 5.0-Current all throughout 5.2.1-STABLE, but
anywhere beyond 5.2.1 it craps itself.
*** Dmesg output:
Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.2.1-RELEASE-p13 #2: Thu Feb 10 18:39:33 CST 2005
diskiller@diablo.diskiller.net:/junk/obj/junk/src/sys/DIABLO
Preloaded elf kernel "/boot/kernel/kernel" at 0xc076c000.
MPTable: <OEM00000 PROD00000000>
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Pentium III/Pentium III Xeon/Celeron (504.72-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x673 Stepping = 3
Features=0x387fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,
CMOV,PAT,PSE36,PN,MMX,FXSR,SSE>
real memory = 536870912 (512 MB)
avail memory = 516034560 (492 MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1
ioapic0: Assuming intbase of 0
ioapic0 <Version 1.1> irqs 0-23 on motherboard
Pentium Pro MTRR support enabled
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcibios: BIOS version 2.10
Using $PIR table, 7 entries at 0xc00fdcf0
pcib0: <Intel 82443BX (440 BX) host to PCI bridge> at pcibus 0 on
motherboard
pci0: <PCI bus> on pcib0
pci_cfgintr: 0:10 INTA BIOS irq 10
pci_cfgintr: 0:12 INTA BIOS irq 11
agp0: <Intel 82443BX (440 BX) host to PCI bridge> mem
0xd0000000-0xd3ffffff
at device 0.0 on pci0
pcib1: <PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
isab0: <PCI-ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel PIIX4 UDMA33 controller> port 0xf000-0xf00f at device 7.1
on
pci0
ata0: at 0x1f0 irq 14 on atapci0
ata0: [MPSAFE]
ata1: at 0x170 irq 15 on atapci0
ata1: [MPSAFE]
uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xe000-0xe01f at
device 7.2 on pci0
pci_cfgintr: 0:7 INTD routed to irq 11
usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
piix0: <PIIX Timecounter> port 0x5000-0x500f at device 7.3 on pci0
Timecounter "PIIX" frequency 3579545 Hz quality 0
pci0: <display, VGA> at device 8.0 (no driver attached)
rl0: <RealTek 8139 10/100BaseTX> port 0xe400-0xe4ff mem
0xd7000000-0xd70000ff irq 10 at device 10.0 on pci0
rl0: Ethernet address: 00:00:21:f2:a5:47
miibus0: <MII bus> on rl0
rlphy0: <RealTek internal media interface> on miibus0
rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
rl1: <RealTek 8139 10/100BaseTX> port 0xe800-0xe8ff mem
0xd7001000-0xd70010ff irq 11 at device 12.0 on pci0
rl1: Ethernet address: 00:40:f4:90:1c:4b
miibus1: <MII bus> on rl1
rlphy1: <RealTek internal media interface> on miibus1
rlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
orm0: <Option ROMs> at iomem 0xc8000-0xcbfff,0xc0000-0xc7fff on isa0
pmtimer0 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
fdc0: ready for input in output
fdc0: cmd 3 failed at out byte 1 of 3
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio0: configured irq 4 not in bitmap of probed irqs 0
sio0: port may not be enabled
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 8250 or not responding
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
unknown: <PNP0303> can't assign resources (port)
unknown: <PNP0c02> can't assign resources (memory)
unknown: <PNP0a03> can't assign resources (port)
Timecounters tick every 10.000 msec
ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to
deny, logging unlimited
GEOM: create disk ad0 dp=0xc4445260
ad0: 19569MB <WDC WD205AA-00BAA0> [39761/16/63] at ata0-master UDMA33
GEOM: create disk ad2 dp=0xc4445c60
ad2: 76319MB <ST380021A> [155061/16/63] at ata1-master UDMA33
acd0: CDRW <SONY CD-RW CRX140E> at ata1-slave PIO4
SMP: AP CPU #1 Launched!
Mounting root from ufs:/dev/ad0s1a
pid 524 (my_print_defaults), uid 88: exited on signal 11
pid 529 (my_print_defaults), uid 88: exited on signal 11
pid 544 (mysqld), uid 88: exited on signal 11
pid 700 (my_print_defaults), uid 1000: exited on signal 11 (core dumped)
diablo:~>
Dmesg output didn?t look particularly different in 5.3-stable. The coredumps
are due to the downgrade and being linked against newer libs from 5.3.
*** Kernel configuration:
diablo:/usr/src/sys/i386/conf> cat DIABLO
#
# GENERIC -- Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
#
http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-confi
g.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.413.2.8 2004/10/24 17:42:08 scottl
Exp $
machine i386
#cpu I486_CPU
cpu I586_CPU
cpu I686_CPU
ident DIABLO
# To statically compile in device wiring instead of /boot/device.hints
#hints "GENERIC.hints" # Default places to look for
devices.
options SCHED_4BSD # 4BSD scheduler
options INET # InterNETworking
#options INET6 # IPv6 communications protocols
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big
directories
#options MD_ROOT # MD is a potential root device
options NFSCLIENT # Network Filesystem Client
options NFSSERVER # Network Filesystem Server
#options NFS_ROOT # NFS usable as /, requires
NFSCLIENT
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires
PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP
THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
#options ADAPTIVE_GIANT # Giant mutex is adaptive.
# Firewall
options IPFIREWALL # Firewall (ipfw)
options IPFIREWALL_VERBOSE # Verbose errors
#options IPFIREWALL_FORWARD # Transparent forwarding
options IPDIVERT # For NATD
#options DUMMYNET # Traffic Shaping!
# IPsec
#options IPSEC
#options IPSEC_ESP
# To make an SMP kernel, the next two are needed
options SMP # Symmetric MultiProcessor Kernel
device apic # I/O APIC
# Bus support. Do not remove isa, even if you have no isa slots
device isa
device eisa
device pci
# Floppy drives
device fdc
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
#device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
#device atapifd # ATAPI floppy drives
#device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
# SCSI Controllers
#device ahb # EISA AHA1742 family
#device ahc # AHA2940 and onboard AIC7xxx devices
#device ahd # AHA39320/29320 and onboard AIC79xx devices
#device amd # AMD 53C974 (Tekram DC-390(T))
#device isp # Qlogic family
#device mpt # LSI-Logic MPT-Fusion
#device ncr # NCR/Symbios Logic
device sym # NCR/Symbios Logic (newer chipsets + those
of `ncr')
device trm # Tekram DC395U/UW/F DC315U adapters
#device adv # Advansys SCSI adapters
#device adw # Advansys wide SCSI adapters
#device aha # Adaptec 154x SCSI adapters
#device aic # Adaptec 15[012]x SCSI adapters,
AIC-6[23]60.
#device bt # Buslogic/Mylex MultiMaster SCSI adapters
#device ncv # NCR 53C500
#device nsp # Workbit Ninja SCSI-3
#device stg # TMC 18C30/18C50
# SCSI peripherals
device scbus # SCSI bus (required for SCSI)
#device ch # SCSI media changers
device da # Direct Access (disks)
#device sa # Sequential Access (tape etc)
#device cd # CD
#device pass # Passthrough device (direct SCSI access)
#device ses # SCSI Environmental Services (and SAF-TE)
# RAID controllers interfaced to the SCSI subsystem
#device amr # AMI MegaRAID
#device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device ciss # Compaq Smart RAID 5*
#device dpt # DPT Smartcache III, IV - See NOTES for
options
#device hptmv # Highpoint RocketRAID 182x
#device iir # Intel Integrated RAID
#device ips # IBM (Adaptec) ServeRAID
#device mly # Mylex AcceleRAID/eXtremeRAID
#device twa # 3ware 9000 series PATA/SATA RAID
# RAID controllers
#device aac # Adaptec FSA RAID
#device aacp # SCSI passthrough for aac (requires CAM)
#device ida # Compaq Smart RAID
#device mlx # Mylex DAC960 family
#device pst # Promise Supertrak SX6000
#device twe # 3ware ATA RAID
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
# Enable this for the pcvt (VT220 compatible) console driver
#device vt
#options XSERVER # support for X server on a vt console
#options FAT_CURSOR # start with block cursor
device agp # support several AGP chipsets
# Floating point support - do not disable.
device npx
# Power management support (see NOTES for more options)
#device apm
# Add suspend/resume support for the i8254.
device pmtimer
# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device cbb # cardbus (yenta) bridge
#device pccard # PC Card (16-bit) bus
#device cardbus # CardBus (32-bit) bus
# Serial (COM) ports
device sio # 8250, 16[45]50 based serial ports
# Parallel port
#device ppc
#device ppbus # Parallel port bus (required)
#device lpt # Printer
#device plip # TCP/IP over parallel
#device ppi # Parallel port interface device
#device vpo # Requires scbus and da
# If you've got a "dumb" serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to the sio and/or ppc drivers):
#device puc
# PCI Ethernet NICs.
#device de # DEC/Intel DC21x4x (``Tulip'')
#device em # Intel PRO/1000 adapter Gigabit Ethernet
Card
#device ixgb # Intel PRO/10GbE Ethernet Card
#device txp # 3Com 3cR990 (``Typhoon'')
#device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these
NICs!
device miibus # MII bus support
#device bfe # Broadcom BCM440x 10/100 Ethernet
#device bge # Broadcom BCM570xx Gigabit Ethernet
#device dc # DEC/Intel 21143 and various workalikes
#device fxp # Intel EtherExpress PRO/100B (82557, 82558)
#device lge # Level 1 LXT1001 gigabit ethernet
#device nge # NatSemi DP83820 gigabit ethernet
#device pcn # AMD Am79C97x PCI 10/100 (precedence over
'lnc')
#device re # RealTek 8139C+/8169/8169S/8110S
device rl # RealTek 8129/8139
#device sf # Adaptec AIC-6915 (``Starfire'')
#device sis # Silicon Integrated Systems SiS 900/SiS
7016
#device sk # SysKonnect SK-984x & SK-982x gigabit
Ethernet
#device ste # Sundance ST201 (D-Link DFE-550TX)
#device ti # Alteon Networks Tigon I/II gigabit
Ethernet
#device tl # Texas Instruments ThunderLAN
#device tx # SMC EtherPower II (83c170 ``EPIC'')
#device vge # VIA VT612x gigabit ethernet
#device vr # VIA Rhine, Rhine II
#device wb # Winbond W89C840F
#device xl # 3Com 3c90x (``Boomerang'',
``Cyclone'')
# ISA Ethernet NICs. pccard NICs included.
#device cs # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
#device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device ex # Intel EtherExpress Pro/10 and Pro/10+
#device ep # Etherlink III based cards
#device fe # Fujitsu MB8696x based cards
#device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
#device lnc # NE2100, NE32-VL Lance Ethernet cards
#device sn # SMC's 9000 series of Ethernet chips
#device xe # Xircom pccard Ethernet
# ISA devices that use the old ISA shims
#device le
# Wireless NIC cards
#device wlan # 802.11 support
#device an # Aironet 4500/4800 802.11 wireless NICs.
#device awi # BayStack 660 and others
#device wi # WaveLAN/Intersil/Symbol 802.11 wireless
NICs.
#device wl # Older non 802.11 Wavelan wireless NIC.
# Pseudo devices.
device loop # Network loopback
#device mem # Memory and kernel memory devices
#device io # I/O device
device random # Entropy device
device ether # Ethernet support
#device sl # Kernel SLIP
#device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
#device faith # IPv6-to-IPv4 relaying (translation)
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
device bpf # Berkeley packet filter
# USB support
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device usb # USB Bus (required)
#device udbp # USB Double Bulk Pipe devices
device ugen # Generic
device uhid # "Human Interface Devices"
device ukbd # Keyboard
device ulpt # Printer
device umass # Disks/Mass storage - Requires scbus and da
device ums # Mouse
#device urio # Diamond Rio 500 MP3 player
#device uscanner # Scanners
# USB Ethernet, requires mii
#device aue # ADMtek USB Ethernet
#device axe # ASIX Electronics USB Ethernet
#device cue # CATC USB Ethernet
#device kue # Kawasaki LSI USB Ethernet
#device rue # RealTek RTL8150 USB Ethernet
# FireWire support
#device firewire # FireWire bus code
#device sbp # SCSI over FireWire (Requires scbus and da)
#device fwe # Ethernet over FireWire (non-standard!)
diablo:/usr/src/sys/i386/conf>
I simply commented out the lines that failed in 5.2 since they were for 5.3
(ie, device io, device mem, and options ADAPTIVE_GIANT)
*** Interfaces:
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
ether 00:00:21:f2:a5:47
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 144.136.223.204 netmask 0xfffffc00 broadcast 255.255.255.255
ether 00:40:f4:90:1c:4b
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
*** Firewall:
diablo:/home/diskiller# more /etc/firewall.diablo
########################################################################
### FIREWALL ###########################################################
########################################################################
# external if = rl1
# internal if = rl0
# internal net = 10.0.0.0/24
# EVIL SHIT
add deny log tcp from any to any 137,138,139 via rl1
add deny log udp from any to any 137,138,139 via rl1
# Allow your loop back to work
add allow all from any to any via lo0
# DHCP
add allow udp from any to any 67,68
# Prevent spoofing of your loopback
add deny log all from any to 127.0.0.0/8
add deny log all from 127.0.0.0/8 to any
# Stop spoofing of your internal network range
add deny log ip from 10.0.0.0/24 to any in via rl1
# Stop spoofing from inside your private ip range
add deny log ip from not 10.0.0.0/24 to any in via rl0
# Something from the bigpond network, and NEEDS to be here before below
# rules block it. Its a heartbeat, among other things? *confusing*
add allow ip from 10.64.28.1 to any in via rl1
# Stop private networks (RFC1918) from entering the outside interface.
add deny log ip from 192.168.0.0/16 to any in via rl1
add deny log ip from 172.16.0.0/12 to any in via rl1
add deny log ip from 10.0.0.0/8 to any in via rl1
add deny log ip from any to 192.168.0.0/16 in via rl1
add deny log ip from any to 172.16.0.0/12 in via rl1
add deny log ip from any to 10.0.0.0/8 in via rl1
# NATD
add divert natd all from any to any via rl1
# UDP
add allow udp from any to any
# Allow IPsec connections flow freely
#add allow esp from any to any
# Allow VPN data to flow free via rl2 (where my VPN to matt is over
wireless)
#add allow ipencap from any to any via rl2
# Allow existing tcp connections open from inside my lan to keep working
add allow tcp from any to any established
# Allow internal lan machines to open connections to the gw/Internet
add allow tcp from 10.0.0.0/24 to any setup # my lan
#add allow tcp from 10.0.2.0/24 to any setup # wireless lan (+ homer)
#add allow tcp from 10.0.4.0/24 to any setup # matt's lan
# Allow gw to open connections to the Internet (tcp/udp/etc)
add allow ip from 144.136.0.0/16 to any setup out via rl1
# Allow some ICMP's
add allow icmp from any to any icmptypes 3,4,11,12,8,0
# Diablo services - Incoming connections allowed
add allow tcp from any to any 21 in via rl1 setup
add allow tcp from any to any 22 in via rl1 setup
add allow tcp from any to any 25 in via rl1 setup
add allow tcp from any to any 53 in via rl1 setup
add allow tcp from any to any 80 in via rl1 setup
#add allow tcp from any to any 110 in via rl1 setup
#add allow tcp from any to any 143 in via rl1 setup
add allow tcp from any to any 993 in via rl1 setup
add allow tcp from any to any 995 in via rl1 setup
#add allow tcp from any to any 3389 in via rl1 setup # RD
#add allow tcp from any to any 6667 in via rl1 setup # IRC server
#add allow tcp from 144.136.0.0/16 to any 5901 in via rl1 setup # VNC on
diablo
#add allow tcp from 203.194.94.0/24 to any 5901 in via rl1 setup # VNC on
diablo
#add allow tcp from any to any 6881 # Bit Torrent
#add allow tcp from any to any 6882 # Bit Torrent
#add allow tcp from any to any 6883 # Bit Torrent
#add allow tcp from any to any 6884 # Bit Torrent
#add allow tcp from any to any 6112 # SC/BW
# UT2003/UT2004
add allow tcp from any to any 7777 in via rl1 setup
add allow tcp from any to any 7778 in via rl1 setup
add allow tcp from any to any 7787 in via rl1 setup
add allow tcp from any to any 7788 in via rl1 setup
# Politely and quickly rejects AUTH requests (IRC!! #*()@$@#$)
add reset tcp from any to any 113 in via rl1
# Make the default 'deny' rule log too.
add 65500 deny log ip from any to any
diablo:/home/diskiller#
I really hope someone can figure this one out...
Thanks,
Martin.
--
diskiller@diskiller.net | www.diskiller.net | irc.diskiller.net
(No trees were destroyed in the sending of this message. However, a
large number of electrons were significantly inconvenienced.)
------ End of Forwarded Message
At 12:28 PM 11/02/2005, Martin Minkus wrote:>Is there some coincidence that rl1 is at irq 11 and is the card that has >problems? > >diablo:/usr/src# dmesg |grep 11 >Timecounter "i8254" frequency 1193182 Hz quality 0 >pci_cfgintr: 0:11 INTA BIOS irq 11 >pci_cfgintr: 0:7 INTD routed to irq 11 >rl1: <RealTek 8139 10/100BaseTX> port 0xe800-0xe8ff mem >0xd7001000-0xd70010ff irq 11 at device 11.0 on pci0 >diablo:/usr/src#Hi, There were a couple of postings about the Realtek cards having "slowness" problems and such. Did you try the patch that was posted ? Index: if_rl.c ==================================================================RCS file: /usr/store/mlaier/fcvs/src/sys/pci/if_rl.c,v retrieving revision 1.145 diff -u -r1.145 if_rl.c --- if_rl.c 9 Aug 2004 20:22:17 -0000 1.145 +++ if_rl.c 30 Jan 2005 18:24:23 -0000 @@ -964,7 +964,7 @@ #endif ifp->if_capenable = ifp->if_capabilities; IFQ_SET_MAXLEN(&ifp->if_snd, IFQ_MAXLEN); - ifp->if_snd.ifq_drv_maxlen = IFQ_MAXLEN; + ifp->if_snd.ifq_drv_maxlen = 0; IFQ_SET_READY(&ifp->if_snd); callout_handle_init(&sc->rl_stat_ch);