Here I have some more information about this crazy problem.
* If the LEAF box is in "notworking" state ping didnt work (no output)
/var/log/messages
Tons of:
Aug 10 06:44:38 firewall kernel: Packet log: input DENY eth0 PROTO=17
10.195.80.1:67 255.255.255.255:68 L=416 S=0x00 I=28122 F=0x0000 T=255 (#8)
Aug 10 06:44:38 firewall kernel: Packet log: input DENY eth0 PROTO=17
10.195.80.1:67 255.255.255.255:68 L=416 S=0x00 I=28125 F=0x0000 T=255 (#8)
Sometimes
Aug 10 14:35:44 firewall kernel: Packet log: input DENY eth0 PROTO=6
217.162.34.242:1884 217.162.76.115:80 L=48 S=0x00 I=12303 F=0x4000 T=124 SYN
(#40)
Last few lines:
Aug 10 14:38:03 firewall kernel: Packet log: input DENY eth0 PROTO=17
10.195.80.1:67 255.255.255.255:68 L=346 S=0x00 I=44574 F=0x0000 T=255 (#8)
Aug 10 14:38:08 firewall kernel: Packet log: input DENY eth0 PROTO=17
10.195.80.1:67 255.255.255.255:68 L=346 S=0x00 I=44577 F=0x0000 T=255 (#8)
Aug 10 14:38:17 firewall kernel: Packet log: input DENY eth0 PROTO=17
10.195.80.1:67 255.255.255.255:68 L=346 S=0x00 I=44582 F=0x0000 T=255 (#8)
Aug 10 14:38:33 firewall kernel: Packet log: input DENY eth0 PROTO=6
217.162.34.242:2867 217.162.76.115:80 L=48 S=0x00 I=47209 F=0x4000 T=124 SYN
(#40)
Aug 10 14:38:33 firewall kernel: Packet log: input DENY eth0 PROTO=17
10.195.80.1:67 255.255.255.255:68 L=346 S=0x00 I=44592 F=0x0000 T=255 (#8)
Aug 10 14:38:35 firewall kernel: Packet log: input DENY eth0 PROTO=6
217.162.34.242:2867 217.162.76.115:80 L=48 S=0x00 I=47898 F=0x4000 T=124 SYN
(#40)
ip addr show
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:e0:4c:01:a2:86 brd ff:ff:ff:ff:ff:ff
inet 217.162.76.115/22 brd 255.255.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:e0:4c:01:95:fd brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
ip route show
92.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
217.162.76.0/22 dev eth0 proto kernel scope link src 217.162.76.115
default via 217.162.76.1 dev eth0
ipchains -nvL
Chain input (policy DENY: 5 packets, 846 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 5 -> *
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 13 -> *
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 14 -> *
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
6593 2443K DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
217.162.76.115 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0
0.0.0.0/0 127.0.0.0/8 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0
0.0.0.0/0 192.168.1.0/24 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
19 1482 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
11 528 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 113
1578K 413M ACCEPT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
0 0 REJECT udp ----l- 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 161:162
2 136 ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 53
141 48927 ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 68
0 0 DENY udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 67
9333 2400K ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
1441 108K ACCEPT icmp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> *
0 0 ACCEPT ospf ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 n/a
539 25984 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 n/a
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * -> 161:162
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 161:162 -> *
2144K 2439M ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 5 -> *
2121K 2437M MASQ all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
3716K 2852M fairq all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
3 168 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
59 8542 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
3716K 2852M ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain fairq (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 520
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 520 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 179
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 179 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
9589 626K RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
2640 235K RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 23
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 23 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 22
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 22 -> *
ipchains -L -M
IP masquerading entries
prot expire source destination ports
TCP 02:25.91 192.168.1.3 202.8.231.104 3455 (63656) -> 1214
TCP 169:15.84 192.168.1.3
host217-39-49-206.in-addr.btopenworld.com 3995 (64264) -> 1214
TCP 181:33.55 192.168.1.3 p5086D6E4.dip.t-dialin.net 4017
(64289) -> 1214
TCP 127:16.61 192.168.1.3 CBL62-LNS-p240.cbl.netvision.net.il 3816
(64035) -> 1214
TCP 75:10.18 192.168.1.3 78.186-136-217.adsl.skynet.be 3685
(63897) -> 1214
TCP 03:29.52 192.168.1.3 202.8.231.104 3444 (63635) -> 1214
TCP 128:57.17 192.168.1.3
adsl-66-73-3-198.dsl.sfldmi.ameritech.net 3832 (64062) -> 1214
TCP 58:22.82 192.168.1.3 225-SEVI-X25.libre.retevision.es 3638
(63840) -> 1214
TCP 203:36.42 192.168.1.3 adsl-21-232-5.mco.bellsouth.net 4103
(64384) -> 1214
TCP 239:57.40 192.168.1.3 dsl-jklgw1oec.dial.inet.fi 4170
(64457) -> 1032
TCP 01:57.74 192.168.1.3 mailgate.quadrocket.com 4270 (64567) ->
1214
TCP 01:55.90 192.168.1.3 krause.ac 4269 (64566) ->
pop-3
TCP 239:59.52 192.168.1.3 mailgate.quadrocket.com 4218 (64514) ->
1214
TCP 239:59.37 192.168.1.3 pD9538E5D.dip.t-dialin.net 4217
(64513) -> 1214
TCP 01:35.77 192.168.1.3 pD9538E5D.dip.t-dialin.net 4264
(64562) -> 1214
TCP 190:46.46 192.168.1.3 adsl-21-232-5.mco.bellsouth.net 4069
(64356) -> 1214
TCP 37:18.25 192.168.1.3 202.8.231.104 3557 (63766) -> 1214
TCP 00:40.94 192.168.1.3 57.116-136-217.adsl.skynet.be 4259
(64561) -> 1214
TCP 01:30.20 192.168.1.3 3E6B552C.aalb.stofanet.dk 4265 (64563) ->
1214
TCP 01:52.91 192.168.1.3 212.202.221.23 4267 (64565) -> 1214
TCP 01:35.09 192.168.1.3 pc-80-195-94-21-ba.blueyonder.co.uk 4266
(64564) -> 1214
autofw
Type Prot Low High Vis Hid Where Last CPto CPrt Timer Flags
(empty)
Anybody any guess?
Cheers
Harald
-----Urspr�ngliche Nachricht-----
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Im Auftrag von Ray
Olszewski
Gesendet: Dienstag, 6. August 2002 20:29
An: Harald Krause; [EMAIL PROTECTED]
Betreff: Re: [leaf-user] Insane Dachstein problem
At 08:01 PM 8/6/02 +0200, Harald Krause wrote:
>I posted this severall times but never got an answer, so it comes here
again
>:-)
I missed the prior ones, but had I seen them, I would have told you to post
again, this time providing the usual diagnostics ... actually two sets of
them -- one from when the router is routing, the other from when it is not.
If you don't know what "the usual diagnostics" are, consult the SR FAQ
listed at the end of the message. Also, can the LEAF router itself ping out
to the Internet when in "failing" state?
Oh, one wild guess, based on your description -- I don't really know how
Kazaa-lite operates, but if it initiates a LOT of NAT'd connections ...
might you simply be running out of ports to NAT to? (I've seen occasional
reports of this happening, but it takes a lot of activity plus long NAT
timeout settings. And I can't think of why the "fix" you describe would
work for this, anyway ... that's why it is a wild guess.)
>Configuration:
>Simple Dachstein: one router (P90 40MB Ram) running Dachstein: (floppy
disk)
>
>Name Version Description
>root 4.0.6
>etc 4.0.1
>ramlog 1.1 Creates additinal ramdisks on boot
>local 4.0.6 Local package. This package does not contain
>a
>modules 4.0.6 Modules package. Contains kernel modules and
>u
>dhclient 2.0pl5 dhclient - Dynamically configure an
interface
>dhcpd 2.0pl5 dhcpd - Autoconfigure client machines
>dnscache 1.05a dnscache from djbdns (V1.05a) package
creates
>weblet 1.2.0 weblet - LRP status via a small web server
>
>Severall PC�s with various OS behind the LEAF box.
>Generally everything works fine.
>
>However:
>One PC is running kazaa-lite and generates some amounts of traffic.
>After a few hours following happens: (No PC connects to the internet during
>this time, except
>for the kazaa lite PC)
>All the other PC cannot connect to the internet anymore. (no http, no pop,
>no smtp)
>I cannot ping any host in the internet from them, but I can ping the leaf
>box from them.
>If I establish one single http connection from the PC running kazaa via
>starting
>a browser (IE or Mozilla), all other PC have access to the internet again.
>I studied all the logfiles in the leaf box, but there is nowere any sign of
>this problem.
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
----------------------------------------------------------------------------
---
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
