Ok here are all the information the website said I should include first:
[root@residents root]# shorewall version
1.4.8
[root@residents root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:0c:41:e5:4a:78 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.1/16 brd 10.10.255.255 scope global eth0
inet 10.10.10.2/16 brd 10.10.255.255 scope global secondary eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:0c:41:1c:95:10 brd ff:ff:ff:ff:ff:ff
inet 208.62.144.195/27 brd 208.62.144.223 scope global eth1
inet 208.62.144.196/27 brd 208.62.144.223 scope global secondary
eth1:0
inet 208.62.144.197/27 brd 208.62.144.223 scope global secondary
eth1:1
inet 208.62.144.198/27 brd 208.62.144.223 scope global secondary
eth1:2
[root@residents root]# ip route show
208.62.144.192/27 dev eth1 scope link
10.10.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 208.62.144.193 dev eth1
[root@residents root]#
So here is the problem. I am managing a network with about 400 college
students on the system (an apartment complex). There are two interfaces
on it, one external and one internal. We switched from a PIX to the
linux so we could have more control of the network which has worked out
great until now. I am using the server with shorewall to masq. the
internet connection and I have a few statics setup also. We recently
had a move-in and so the system is under full load. It was running
stable for almost 6 months without a problem. Now after about 8-12
hours of running, the internet connection becomes very slow (DS3
connection). I try restarting the network service and shorewall and it
still runs slow, but as soon as I restart the computer, it starts
working normal again. This seems to be a continuous loop. It has done
it 3 times already and I have a lot of pissed off college students who
just started class with no internet connection. Could the broadcasts
from the things such as viruses just be causing too many network
collisions? If so, why would it work fine after a restart. Are just
the two interfaces enough? The pix seemed to work fine with the two
interfaces, it just had no control. Any ideas would be great. Anyone
that has ran into this before, please let me know. I have to try and
get this fixed ASAP. I can post any other config files if needed.
Thanks for all the help.
David Shepherd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shepherd wrote: | Any ideas would be great. Anyone | that has ran into this before, please let me know. I have to try and | get this fixed ASAP. I can post any other config files if needed. This has virtually no chance of being a Shorewall problem -- you would probably be better served to post on the Linux Net list or the Netfilter list. I suspect that you are running out of some resource -- memory, connection tracking entries, ... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBKqhsO/MAbZfjDLIRApwyAKCtI0c6oR0E4uzSUyRhNmwvVNFiNwCgn7Ht iO18FxNeBCxZVxLJjTqNZE4=UzJ1 -----END PGP SIGNATURE-----
Thanks for your fast response. I don''t believe it is memory because I''ve monitored the resources and we have a gig of memory. I will be sure to try to post on a Net forum. Thanks. Dave -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Monday, August 23, 2004 9:31 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Shorewall response time slowing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shepherd wrote: | Any ideas would be great. Anyone | that has ran into this before, please let me know. I have to try and | get this fixed ASAP. I can post any other config files if needed. This has virtually no chance of being a Shorewall problem -- you would probably be better served to post on the Linux Net list or the Netfilter list. I suspect that you are running out of some resource -- memory, connection tracking entries, ... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBKqhsO/MAbZfjDLIRApwyAKCtI0c6oR0E4uzSUyRhNmwvVNFiNwCgn7Ht iO18FxNeBCxZVxLJjTqNZE4=UzJ1 -----END PGP SIGNATURE----- _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shepherd wrote: | Thanks for your fast response. I don''t believe it is memory because | I''ve monitored the resources and we have a gig of memory. I was thinking more of resources in /proc/slabinfo.... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBKqyYO/MAbZfjDLIRApgZAJ0SQ2+b+ZKDKfjWZrcMwhhbe03twgCgpCPr xeEbuKDvRZEuUxb2YLWOE44=ltjC -----END PGP SIGNATURE-----
Sounds like you might be running out of file handles, try increasing the default limit to a higher value. On Mon, 2004-08-23 at 22:38, David Shepherd wrote:> Thanks for your fast response. I don''t believe it is memory because > I''ve monitored the resources and we have a gig of memory. I will be > sure to try to post on a Net forum. Thanks. > > Dave > > -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom > Eastep > Sent: Monday, August 23, 2004 9:31 PM > To: Mailing List for Shorewall Users > Subject: Re: [Shorewall-users] Shorewall response time slowing > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > David Shepherd wrote: > | Any ideas would be great. Anyone > | that has ran into this before, please let me know. I have to try and > | get this fixed ASAP. I can post any other config files if needed. > > This has virtually no chance of being a Shorewall problem -- you would > probably be better served to post on the Linux Net list or the Netfilter > list. > > I suspect that you are running out of some resource -- memory, > connection tracking entries, ... > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBKqhsO/MAbZfjDLIRApwyAKCtI0c6oR0E4uzSUyRhNmwvVNFiNwCgn7Ht > iO18FxNeBCxZVxLJjTqNZE4> =UzJ1 > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
File handles? Not sure what you mean. I''m pretty new to linux but Tom did help me! I found that in the /proc/slabinfo, the ip_conntrack is my problem. The viruses is just filling it VERY VERY fast and there is no way to clean all 400 computers that we don''t own. So I increased the limit in the ip_conntrack_max. I have plenty of ram, I just don''t know what a safe max is, but if I decrease it to 5000 or lower, I can''t even ping out but like every 10th ping and the higher I increase it, the better the server runs. Can I just turn the tracking off? Well I better post this on a different forum. Tom, thanks. David -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Nick Sklav Sent: Monday, August 23, 2004 10:39 PM To: Mailing List for Shorewall Users Subject: RE: [Shorewall-users] Shorewall response time slowing Sounds like you might be running out of file handles, try increasing the default limit to a higher value. On Mon, 2004-08-23 at 22:38, David Shepherd wrote:> Thanks for your fast response. I don''t believe it is memory because > I''ve monitored the resources and we have a gig of memory. I will be > sure to try to post on a Net forum. Thanks. > > Dave > > -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom > Eastep > Sent: Monday, August 23, 2004 9:31 PM > To: Mailing List for Shorewall Users > Subject: Re: [Shorewall-users] Shorewall response time slowing > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > David Shepherd wrote: > | Any ideas would be great. Anyone > | that has ran into this before, please let me know. I have to tryand> | get this fixed ASAP. I can post any other config files if needed. > > This has virtually no chance of being a Shorewall problem -- you would > probably be better served to post on the Linux Net list or theNetfilter> list. > > I suspect that you are running out of some resource -- memory, > connection tracking entries, ... > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBKqhsO/MAbZfjDLIRApwyAKCtI0c6oR0E4uzSUyRhNmwvVNFiNwCgn7Ht > iO18FxNeBCxZVxLJjTqNZE4> =UzJ1 > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
David Shepherd wrote:> File handles? Not sure what you mean. I''m pretty new to linux but Tom > did help me! I found that in the /proc/slabinfo, the ip_conntrack is my > problem. The viruses is just filling it VERY VERY fast and there is no > way to clean all 400 computers that we don''t own. So I increased the > limit in the ip_conntrack_max. I have plenty of ram, I just don''t know > what a safe max is, but if I decrease it to 5000 or lower, I can''t even > ping out but like every 10th ping and the higher I increase it, the > better the server runs. Can I just turn the tracking off?If you turn off conntrack, lots of important things will break. Not recommended. If you have enough RAM, just keep upping the connection limits. -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Gear wrote: | David Shepherd wrote: | |>File handles? Not sure what you mean. I''m pretty new to linux but Tom |>did help me! I found that in the /proc/slabinfo, the ip_conntrack is my |>problem. The viruses is just filling it VERY VERY fast and there is no |>way to clean all 400 computers that we don''t own. So I increased the |>limit in the ip_conntrack_max. I have plenty of ram, I just don''t know |>what a safe max is, but if I decrease it to 5000 or lower, I can''t even |>ping out but like every 10th ping and the higher I increase it, the |>better the server runs. Can I just turn the tracking off? | | | If you turn off conntrack, lots of important things will break. Not | recommended. If you have enough RAM, just keep upping the connection | limits. | One of the important things that will break is Shorewall -- you can''t run Shorweall without connection tracking. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBK0afO/MAbZfjDLIRAjS7AJkBxaZ6S+e/076NPV7p8zOlW5DzWgCcDJUo irQpMB9/ggpUb3BedxNzHIM=oAuv -----END PGP SIGNATURE-----
Hi ! One question I have one FW with 4 nic 2 nic connected to 2 different ISP in layer 2 for interconnect remote local. Bridge is option or two different network. Howto make bridge in this case or better two network ?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodrigo Cortes Cano wrote: | Hi ! | | One question | | I have one FW with 4 nic | | 2 nic connected to 2 different ISP in layer 2 for interconnect remote local. | | Bridge is option or two different network. | | Howto make bridge in this case or better two network ? You must use two networks. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLOwwO/MAbZfjDLIRAu/iAJ96s0RjgbNwv69KBPkB3mMWxQYxawCggP+K mnYCjpV5XKwIT6OsUfwBGQw=BCNV -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | Rodrigo Cortes Cano wrote: | | Hi ! | | | | One question | | | | I have one FW with 4 nic | | | | 2 nic connected to 2 different ISP in layer 2 for interconnect remote | local. | | | | Bridge is option or two different network. | | | | Howto make bridge in this case or better two network ? | | You must use two networks. | Although if I understand your question correctly, you can do something like this: ~ ---eth3 eth0 - ISP1___________bridge/ eth1 - ISP2 \ ~ ---eth4 - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLPYyO/MAbZfjDLIRAunNAJ96lR5gYbgtVyqMlY1qjrYUqqH15wCfVmGI Xtg1mSCWOLQ3Fw51QvKXdck=PB97 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | Tom Eastep wrote: | | Rodrigo Cortes Cano wrote: | | | Hi ! | | | | | | One question | | | | | | I have one FW with 4 nic | | | | | | 2 nic connected to 2 different ISP in layer 2 for interconnect remote | | local. | | | | | | Bridge is option or two different network. | | | | | | Howto make bridge in this case or better two network ? | | | | You must use two networks. | | | | Although if I understand your question correctly, you can do something | like this: | | ~ ---eth3 | eth0 - ISP1___________bridge/ | eth1 - ISP2 \ | ~ ---eth4 | In other words, bridge eth3 and eth4 and route the bridged network to eth0/eth1. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLPaeO/MAbZfjDLIRAq4LAJ0e/mleBefgrQWh7WQfbKD1zOwGVACfb6+t 4BvZy2n8H28BXrMbCOR2R2Y=7FST -----END PGP SIGNATURE-----
Hi :) More simple ~ ---eth3 eth0 - ISP1___________bridge/ eth1 - ISP2 \ ~ ---eth4 Eth0 is wan and eth1 is lan Eth3 y 4 is extended lan but with different isp. Two network is more simple bus is possible bridge, but how ? -----Mensaje original----- De: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] En nombre de Tom Eastep Enviado el: MiƩrcoles, 25 de Agosto de 2004 16:29 Para: Mailing List for Shorewall Users Asunto: Re: [Shorewall-users] about bridge -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | Tom Eastep wrote: | | Rodrigo Cortes Cano wrote: | | | Hi ! | | | | | | One question | | | | | | I have one FW with 4 nic | | | | | | 2 nic connected to 2 different ISP in layer 2 for interconnect remote | | local. | | | | | | Bridge is option or two different network. | | | | | | Howto make bridge in this case or better two network ? | | | | You must use two networks. | | | | Although if I understand your question correctly, you can do something | like this: | | ~ ---eth3 | eth0 - ISP1___________bridge/ | eth1 - ISP2 \ | ~ ---eth4 | In other words, bridge eth3 and eth4 and route the bridged network to eth0/eth1. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLPaeO/MAbZfjDLIRAq4LAJ0e/mleBefgrQWh7WQfbKD1zOwGVACfb6+t 4BvZy2n8H28BXrMbCOR2R2Y=7FST -----END PGP SIGNATURE----- _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodrigo Cortes Cano wrote: | Hi :) | | More simple | | | ~ ---eth3 | eth0 - ISP1___________bridge/ | eth1 - ISP2 \ | ~ ---eth4 | | Eth0 is wan and eth1 is lan | Eth3 y 4 is extended lan but with different isp. | | Two network is more simple bus is possible bridge, but how ? You *cannot* bridge two different networks -- you must use routing. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLRrxO/MAbZfjDLIRAuwsAKCelfTCHlQQP23cqYMfWqRd+oh7zwCcCf8k ruwrGI63aFUDlgwKU0HnjQk=vaqq -----END PGP SIGNATURE-----
Eth3 and eth4 are layer 2, same network is possible. -----Mensaje original----- De: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] En nombre de Tom Eastep Enviado el: MiƩrcoles, 25 de Agosto de 2004 19:04 Para: Mailing List for Shorewall Users Asunto: Re: [Shorewall-users] about bridge -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodrigo Cortes Cano wrote: | Hi :) | | More simple | | | ~ ---eth3 | eth0 - ISP1___________bridge/ | eth1 - ISP2 \ | ~ ---eth4 | | Eth0 is wan and eth1 is lan | Eth3 y 4 is extended lan but with different isp. | | Two network is more simple bus is possible bridge, but how ? You *cannot* bridge two different networks -- you must use routing. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBLRrxO/MAbZfjDLIRAuwsAKCelfTCHlQQP23cqYMfWqRd+oh7zwCcCf8k ruwrGI63aFUDlgwKU0HnjQk=vaqq -----END PGP SIGNATURE----- _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm