> About 2 Minutes later after apply this rule set, system writes that bge1 > watchdog timeout --- resetting and then system hangs, keyboard doesnt > response. No logs can be observed. > > When i remove all skipto and checkstate rules, system work properly > without problems. I suspect about stateful inpection code.
Just to add a "me too" message to this thread, I also experienced system freezes (keyboard not working => hardware reset necessary) with in-kernel NAT and stateful rules. I had a repeatable case on a production server and hoped to replicate the bug on a different machine as the production server needed to go in, well, production; however thanks to complex setup of original machine (in-kernel NAT, vlans, openvpn...), lack of time and virtual environment, test scenario failed to produce a sensible bug report and I gave up until I saw OP reporting the same issue. Here is the rule that after a short while (probably the first packet to match the rule) freezes the machine: ipfw 00003 nat 123 log ip from x.x.x.0/24 to a.b.c.0/24,a.b.d.0/24,a.b.e.0/24 out # keep-state here causes freeze ... further down the chain... ipfw I know this is far from a good bug report, but stateful inspection code/in-kernel NAT mix might be worth looking into. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[email protected]"
