Re: ipf firewall, dropping connections

2009-10-26 Thread phantomcircuit
I'm guessing you have kernel tuning issues that have nothing to do with 
the firewall. wrote:


I'm runing 7.2 with IPFilter - main purpose is for a news server.

Many established connections are just dropped and closed, it seems to 
be random, all allow rules are being affected.  Any insight would be 
appreciated.  The machine is under heavy usage, averaging arround 150 
to 200 connections per second.

[r...@news ~]# ipfstat
bad packets:in 0out 0
 IPv6 packets:  in 0 out 0
 input packets: blocked 22570422 passed 488309778 nomatch 
146719580 counted 0 short 0
output packets: blocked 21885 passed 507034679 nomatch 
160765161 counted 0 short 0

 input packets logged:  blocked 22570422 passed 0
output packets logged:  blocked 0 passed 0
 packets logged:input 0 output 0
 log failures:  input 12571655 output 0
fragment state(in): kept 0  lost 0  not fragmented 0
fragment state(out):kept 0  lost 0  not fragmented 0
packet state(in):   kept 14100  lost 2770255
packet state(out):  kept 22966740   lost 8078847
ICMP replies:   0   TCP RSTs sent:  0
Invalid source(in): 0
Result cache hits(in):  17487490(out):  21607481
IN Pullups succeeded:   9   failed: 0
OUT Pullups succeeded:  1092failed: 0
Fastroute successes:0   failures:   0
TCP cksum fails(in):0   (out):  0
IPF Ticks:  325071
Packet log flags set: (0)

[r...@wa-cpt-news ~]# cat /etc/ipf.rules

### Globals

block in log quick all with frags  
  # TCP Fragments
block in log quick all with short  
  # Short Fragments
block in log quick all with ipopts 
  # Invalid IP Options


### Loopback Interface

pass in quick on lo0 from any to
pass out quick on lo0 from to any


## em0 - Public NIC

# em0 - Outbound Traffic
pass out quick on em0 from a.a.a.a to any keep state
pass out quick on em0 from a.a.a.21 to any keep state
pass out quick on em0 from a.a.a.22 to any keep state
pass out quick on em0 from x.x.x.23 to any keep state
pass out quick on em0 from x.x.x.24 to any keep state
pass out quick on em0 from x.x.x.59.30 to any keep state

pass in quick on em0 from to a.a.a.a   
# Internal Network Traffic
pass in quick on em0 proto icmp from any to a.a.a.a keep state 
pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 
22 flags S keep state  # SSH (Office Only)
pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 
22 flags S keep state   # SSH (Office Only)
pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 
22 flags S keep state  # SSH (Office Only)
pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = 
22 flags S keep state   # SSH (Office Only)
pass in quick on em0 proto tcp from any port = 53 to a.a.a.a   
# DNS (Responces)
pass in quick on em0 proto udp from any port = 53 to a.a.a.a   
# DNS (Responces)
pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 
80 # HTTP (Office Only)
pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 
80  # HTTP (Office Only)
pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 
80 # HTTP (Office Only)
pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = 
80  # HTTP (Office Only)
pass in quick on em0 proto tcp from x.185.0.0/16 to a.a.a.a port = 119 
   # NNTP
pass in quick on em0 proto tcp from x.211.26.0/24 to a.a.a.a port = 
119   # NNTP
pass in quick on em0 proto tcp from x.220.32.0/19 to a.a.a.a port = 
119  # NNTP
pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 
119# NNTP
pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 
119# NNTP
pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 
119 # NNTP
pass in quick on em0 proto tcp from x.220.42.29/32 to a.a

Re: What causes random disk access slow down

2009-10-27 Thread phantomcircuit

How full are the disks?

Jin Guojun wrote:
A 6-7 years old Xeon dual 2.4MHz CPU machine runs FreeBSD 6.4-Release 
suddenly becomes
slow on some tasks requiring disk access. Typical things like ls, 
objdump etc. Be more specific, a couple of minutes objdump became a 
several hours job.

A several seconds "ls -RC" became a 15-minute task (see output below).

It sounds like a hard drive problem, but run sequential disk test on 
all drives, their throughput
meet the  original disk spec and disks run very quite, at random disk 
access, disks generate

some rigid noise, so it looks like a random disk access problem.
This machine has two IDE PATA drives (ignore da0 -- a USB stick), but 
No error message has
been recorded in dmesg for any dirve a couple of weeks after the 
problem happened.

Machine has been rebooted a few times after slowness occurred, but it 
won't help.

Is there anyway/any tool to find out what is going wrong in the system?


[165] bsd-ms: ls -RC > Dir
3.756u 19.402s 15:29.37 2.4%30+2938k 49120+76io 0pf+0w

monitored from the other terms --
[138] bsd-ms: ll ~/Dir
-rw-r--r--  1 src  wheel  6152192 Oct 27 14:53 /home/users/src/Dir
[139] bsd-ms: ll ~/Dir
-rw-r--r--  1 src  wheel  8019968 Oct 27 14:56 /home/users/src/Dir
[140] bsd-ms: ll ~/Dir
-rw-r--r--  1 src  wheel  9915957 Oct 27 14:58 /home/users/src/Dir

 tty ad0  ad1  da0 
tin tout  KB/t tps  MB/s   KB/t tps  MB/s   KB/t tps  MB/s  us ni sy 
in id
  9  365  9.14   6  0.05  12.08   6  0.07  121.91   0  0.00   2  0  1  
0 97
  0 1020 11.75  87  0.99  17.82   7  0.13   0.00   0  0.00  76  0 14  
0 10
  0 1005  8.54 262  2.19  52.94  23  1.21   0.00   0  0.00  61  0 29  
1  9
  0  893  7.54 184  1.36  85.76  34  2.82   0.00   0  0.00  53  0 32  
1 14
  0  551  3.35 265  0.87   9.38   4  0.04   0.00   0  0.00  47  0 33  
1 19
  0  594  6.81 201  1.33  37.82   4  0.14   0.00   0  0.00  54  0 16  
0 30
  0 1106  3.54 252  0.87  55.19  17  0.93   0.00   0  0.00  39  0 33  
1 27
  0  393  2.88 223  0.63  11.43   2  0.03   0.00   0  0.00  67  0 31  
1  1
  0  644  4.81 165  0.77  16.00   0  0.01   0.00   0  0.00  87  0 12  
1  1
 27  339 10.39 180  1.82  15.18  11  0.17   0.00   0  0.00  86  0 13  
0  0
 32  130  5.06 146  0.72  23.40  46  1.04   0.00   0  0.00  86  0  8  
1  5
 32  267  8.39 138  1.13  61.09   4  0.22   0.00   0  0.00  73  0 26  
1  0
 33  340  8.75 222  1.90  61.54   4  0.26   0.00   0  0.00  78  0 21  
1  0
 32  595  5.85 154  0.88  12.20   3  0.04   0.00   0  0.00  87  0 12  
1  0
 32  288  5.28 147  0.76   6.00   1  0.01   0.00   0  0.00  86  0 13  
1  0

___ mailing list
To unsubscribe, send any mail to 

___ mailing list
To unsubscribe, send any mail to ""

Re: best way to install/update software and firewall choice

2009-10-31 Thread phantomcircuit
freebsd-update works fine in a jail so long as you symlink the kernel 
file to /dev/null

Manolis Kiagias wrote:

Guy Marcenac wrote:


I am an old debian user and I am looking at freebsd for security reasons
* I am very interested in the jail concept
* I have to relearn iptables syntax each time I want to add a rule

Don't we all :)


I am testing the system in vmware virtual machine.

There is a point I don't fully understand. There are several ways of
updating the system, from precompiled binaries or by recompiling the
system and the ports (and using csup, portsnap, portupgrade ...).

To update your base system, you can use freebsd-update. This uses
precompiled binaries and also updates the relevant sources (assuming you
have them installed beforehand and you are using the default
freebsd-update configuration - which is recommended). However if you are
going to run jails, this advantage is more less defeated: you will have
to run 'make buildworld' anyway to install the result in the jails.


I would prefer to use the first way because it is really faster, but
it seems to me that when I want to update my jails, there is no other
easy way than recompiling the whole world into my jails.

Yes, unless you can somehow run freebsd-update from inside a jail :)
Don't know if this will work though. It will probably fail trying to
patch the kernel.

If you use freebsd-update you will only 'make installworld' for the
jails, as the 'host' will be taken care of by freebsd-update binary
patching.  You still need the make buildworld step, so you don't really
gain much.


The other point a bit confusing is that I dont know which firewall to
use. My first guess would be to use pf, because it exists also on
openbsd, but it seems that the default would go to ipfw.

I am using pf too. It is a matter of preference and features needed. I
suggest you read the Handbook chapter and decide for yourself.

___ mailing list
To unsubscribe, send any mail to ""

___ mailing list
To unsubscribe, send any mail to ""

SSH XForwarding Failure

2009-02-06 Thread phantomcircuit
I have absolutely no clue why this isn't working. xauth is installed
$DISPLAY is localhost:10.0 XForwarding is enabled in sshd_config and I
invoked ssh with -X.

%/usr/local/bin/xauth list  MIT-MAGIC-COOKIE-1
eea299b0035168d92d95659436874a80  MIT-MAGIC-COOKIE-1
e05b1ac4522781c3be2049a35782b704  MIT-MAGIC-COOKIE-1
%/usr/local/bin/xauth list :0.0
%echo $DISPLAY

Attempt to use XForwarding

$ ssh -Xvv
OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to [] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-END'
debug1: identity file /home/username/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_5.1p1 CovertInferno
debug1: match: OpenSSH_5.1p1 CovertInferno pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: none,,zlib
debug2: kex_parse_kexinit: none,,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160,hmac-sha1-96
debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160,hmac-sha1-96
debug2: kex_parse_kexinit: none,
debug2: kex_parse_kexinit: none,
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 158/320
debug2: bits set: 1039/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '' is known and matches the RSA host key.
debug1: Found key in /home/username/.ssh/known_hosts:3
debug2: bits set: 1026/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/username/.ssh/id_rsa (0x4c75353ab9d1)
debug2: key: /home/username/.ssh/identity ((nil))
debug2: key: /home/username/.ssh/id_dsa ((nil))
This computer system is in California.  By connecting you accept the 
Terms of Service found at .
debug1: Authentications that can continue:
debug1: Next authentication method: publickey
debug1: Offering public key: /home/