Re: Network slowdowns...

2002-03-24 Thread Crist J. Clark 

On Sun, Mar 24, 2002 at 10:39:17AM +, Jonathan Belson wrote:
> Jonathan Belson wrote:
> > Hiya
> > 
> > 
> > I've recently been experiencing slowdowns on my server's outgoing
> > network port, which occur after half a day to a day after the last
> > reboot.
> 
> After trying a few things that were suggested to me, I realised
> what the problem was.  Without the DEFAULT_TO_ACCEPT option my
> DHCP client couldn't re-lease the IP from my ISP's DHCP servers
> and presumably ended up using an invalid IP..
> 
> I've added the following firewall rules:
> 
>  # DHCP
>  ${fwcmd} add pass tcp from any to ${oip} 67 setup
>  ${fwcmd} add pass udp from any to ${oip} 67
>  ${fwcmd} add pass udp from ${oip} 67 to any
>  ${fwcmd} add pass tcp from any to ${oip} 68 setup
>  ${fwcmd} add pass udp from any to ${oip} 68
>  ${fwcmd} add pass udp from ${oip} 68 to any
> 
> and removed the line
> 
>  ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}

You can be a little more specific about it if you want. First, DHCP
never uses TCP even though those ports are reserved. Second, ports 67
and 68 are always the source and destination and vice-versa. Also, you
may know the range of IPs in which your DHCP server lives. I used to
use the following rules in my rc.firewall. The "external" rules really
mean this machine is a DHCP client, and the "internal" rules were for
the machine acting as a DHCP server for the internal NAT'ed
network (it is assumed that UDP from $iip to valid internal addresses
is freely passed elsewhere in the rules). To use these, for any
interface that is being configured via DHCP, you must also set,

  dhcps_if0="192.0.2.0/24"
  dhcpc_if0="192.0.2.0/24"

Where the first is the IP range for the server for interface if0, and
the second is the valid range of client IPs that may be addressed to
if0. If you don't have any idea what a value might be, use "any".
Obviously, any valid IP address or network format can be used for
either.


# Let external DHCP work
for dhclient_interface in ${network_interfaces}; do
  eval ifconfig_args=\$ifconfig_${dhclient_interface}
  case ${ifconfig_args} in
[Dd][Hh][Cc][Pp])
  eval dhcpc_range=\$dhcpc_$dhclient_interface
  eval dhcps_range=\$dhcps_$dhclient_interface
  $fwcmd add pass udp from ${dhcpc_range} 68 to ${dhcps_range}  67 out via 
${dhclient_interface}
  $fwcmd add pass udp from ${dhcps_range} 67 to ${dhcpc_range}  68 in  via 
${dhclient_interface}
  $fwcmd add pass udp from 0.0.0.068 to 255.255.255.255 67 out via 
${dhclient_interface}
  $fwcmd add pass udp from ${dhcps_range} 67 to 255.255.255.255 68 in  via 
${dhclient_interface}
  ;;
  esac
done


# Let internal DHCP work
if [ "$dhcpd_interface" ]; then
  $fwcmd add pass udp from 0.0.0.0 68 to 255.255.255.255 67 in  via ${dhcpd_interface}
  $fwcmd add pass udp from ${iip}  67 to 255.255.255.255 68 out via ${dhcpd_interface}
fi

-- 
Crist J. Clark | [EMAIL PROTECTED]
   | [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/| [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message

Network slowdowns...

2002-03-23 Thread Jonathan Belson 

Hiya


I've recently been experiencing slowdowns on my server's outgoing
network port, which occur after half a day to a day after the last
reboot.

To briefly summarise:

I have an old K6-2 300 acting as a gateway and firewall between
my internal network and my DSL connection.  It was working fine
until a few days ago when I upgraded the harddrive to a 60GB
120GXP, upgraded to the latest -stable, and switched off the
DEFAULT_TO_ACCEPT firewall option.

Every thing is fine until the system starts to play up, at which
point traffic through the server->DSL box starts to become
really slow - when ssh-ing in from a remote machine, characters
can take several seconds to appear - all other services are
affected in the same way.  There don't seem to be any clues in
the log files, either.

Internal networking (fxp0) always works fine, and rebooting always
fixes the problem.


Here is the dmesg:

Copyright (c) 1992-2002 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.5-STABLE #1: Thu Mar 21 12:13:11 GMT 2002
 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/DOOKIE
Timecounter "i8254"  frequency 1193182 Hz
Timecounter "TSC"  frequency 298816447 Hz
CPU: AMD-K6(tm) 3D processor (298.82-MHz 586-class CPU)
   Origin = "AuthenticAMD"  Id = 0x580  Stepping = 0
   Features=0x8001bf
   AMD Features=0x8800
real memory  = 67108864 (65536K bytes)
avail memory = 62230528 (60772K bytes)
Preloaded elf kernel "kernel" at 0xc0315000.
md0: Malloc disk
Using $PIR table, 5 entries at 0xc00fdae0
npx0:  on motherboard
npx0: INT 16 interface
pcib0:  on motherboard
pci0:  on pcib0
pcib1:  at device 1.0 
on pci0
pci1:  on pcib1
pci1: <3Dfx Voodoo 3 graphics accelerator> at 0.0 irq 11
isab0:  at device 7.0 on pci0
isa0:  on isab0
atapci0:  port 0xc000-0xc00f at device 7.1 
on pci0
ata0: at 0x1f0 irq 14 on atapci0
ata1: at 0x170 irq 15 on atapci0
chip1:  at device 7.3 on pci0
fxp0:  port 0xc400-0xc41f mem 
0xed00-0xed0f,0xed12-0xed120fff irq 10 at device 9.0 on pci0
fxp0: Ethernet address 00:a0:c9:4b:f8:33
inphy0:  on miibus0
inphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
xl0: <3Com 3c905-TX Fast Etherlink XL> port 0xc800-0xc83f irq 9 at 
device 10.0 on pci0
xl0: Ethernet address: 00:60:08:4f:f6:f8
miibus1:  on xl0
nsphy0:  on miibus1
nsphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
atapci1:  port 
0xdc00-0xdc3f,0xd800-0xd803,0xd400-0xd407,0xd000-0xd003,0xcc00-0xcc07 
mem 0xed10-0xed11 irq 12 at device 11.0 on pci0
ata2: at 0xcc00 on atapci1
ata3: at 0xd400 on atapci1
orm0:  at iomem 0xc-0xc7fff,0xc8000-0xc97ff on isa0
fdc0:  at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
fdc0: FIFO enabled, 8 bytes threshold
atkbdc0:  at port 0x60,0x64 on isa0
atkbd0:  flags 0x1 irq 1 on atkbdc0
vga0:  at port 0x3c0-0x3df iomem 0xa-0xb on isa0
sc0:  at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
IP packet filtering initialized, divert enabled, rule-based forwarding 
enabled, default to deny, logging limited to 10 packets/entry by default
IP Filter: v3.4.20 initialized.  Default = pass all, Logging = disabled
ad4: 58644MB  [119150/16/63] at ata2-master UDMA66
acd0: MODE_SENSE_BIG command timeout - resetting
ata1: resetting devices .. done
acd0: MODE_SENSE_BIG DONEDRQ
acd0: MODE_SENSE_BIG - ABORTED COMMAND asc=0x4e ascq=0x00 error=0x00
acd0: MODE_SENSE_BIG command timeout - resetting
ata1: resetting devices .. done
acd0: MODE_SENSE_BIG DONEDRQ
acd0: MODE_SENSE_BIG - ABORTED COMMAND asc=0x4e ascq=0x00 error=0x00
acd0: MODE_SENSE_BIG command timeout - resetting
ata1: resetting devices .. done
acd0: MODE_SENSE_BIG DONEDRQ
acd0: MODE_SENSE_BIG - ABORTED COMMAND asc=0x4e ascq=0x00 error=0x00
acd0: MODE_SENSE_BIG command timeout - resetting
ata1: resetting devices .. done
acd0: MODE_SENSE_BIG DONEDRQ
acd0: MODE_SENSE_BIG - ABORTED COMMAND asc=0x4e ascq=0x00 error=0x00
acd0: MODE_SENSE_BIG command timeout - resetting
ata1: resetting devices .. done
acd0: MODE_SENSE_BIG DONEDRQ
acd0: MODE_SENSE_BIG - ABORTED COMMAND asc=0x4e ascq=0x00 error=0x00
acd0: CDROM  at ata1-master PIO3
Mounting root from ufs:/dev/ad4s1a


I've always had the "MODE_SENSE_BIG - ABORTED COMMAND" bits; the
harddrive is on a PCI ATA66 card.

Here are the relevent bits of my firewall script (IPs changed to
protect the guilty 8^)


[Ss][Ii][Mm][Pp][Ll][Ee])

# This is a prototype setup for a simple firewall.  Configure this
# machine as a named server and ntp server, and point all the machines
# on the inside at this machine for those services.


# set these to your outside interface network and netmask and ip
oif="xl0"
onet="213.105.71.0"
#onet="192.0.2.0"
omask="255.255.255.0"
oip="213.105.71.121"
#oip="192.0.2.1"

# set these to your inside interface network and net