rnally to IPFW?
Thanks!
-Original Message-
From: Michael Sierchio [mailto:ku...@tenebras.com]
Sent: Monday, April 01, 2013 7:23 AM
To: Don O'Neil
Cc: freebsd-questions@freebsd.org
Subject: Re: Problems with IPFW causing failed DNS and FTP sessions
Okay, what's your DNS setup? Are you
Okay, what's your DNS setup? Are you running a recursive cache that
contacts the root servers directly? Using your ISP's servers? Etc.
As a mitigation step, I tried pointing my caches to 8.8.8.8 and
8.8.4.4. - but it turns out that Google is intentionally blocking
(returning NX responses to) ma
-
From: owner-freebsd-questi...@freebsd.org
[mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Michael Sierchio
Sent: Sunday, March 31, 2013 10:04 PM
To: Don O'Neil
Cc: freebsd-questions@freebsd.org
Subject: Re: Problems with IPFW causing failed DNS and FTP sessions
net.inet.ip.fw.dyn
net.inet.ip.fw.dyn_short_lifetime ?
net.inet.ip.fw.dyn_udp_lifetime ?
You might want to increase these, given the current state of things...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To uns
On Sun, Mar 31, 2013 at 9:39 PM, Michael Powell wrote:
> I'm probably not smart enough to be able to help directly with your problem
> but I'd like to add that there is a snowballing DNS Amplification ddos
> attack against SpamHaus going on which is spilling over
Yes, this is very much true. Th
l just recently. I've checked my interface stats to make sure
> there aren't a bunch of fragmented packets or errors, and there aren't. I'm
> not running NAT, it's a publically accessible IP address.
>
> -Original Message-
> From: Michael Sierchio [mailto:ku...@tene
Don O'Neil wrote:
> Hi everyone. recently my server started having issues with DNS and FTP
> sessions either not resolving or timing out. I've tracked the issue down
> to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go
> away.
>
[snip]
I'm probably not smart enough to be ab
gmented packets or errors, and there aren't. I'm
not running NAT, it's a publically accessible IP address.
-Original Message-
From: Michael Sierchio [mailto:ku...@tenebras.com]
Sent: Sunday, March 31, 2013 8:58 PM
To: Don O'Neil
Cc: freebsd-questions@freebsd.org
Subject:
It would be really helpful if you'd post the ruleset.
At first glance, your stateful rules seem rather wrong, unless there's
a check-state above. Also, in and out aren't discriminating enough -
every packet is seen by the ruleset more than once. You should think
in terms of interfaces, direction
Hi everyone. recently my server started having issues with DNS and FTP
sessions either not resolving or timing out. I've tracked the issue down to
IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away.
I have the basic rules like this for dns;
01160 allow udp from any t
Hi everyone. recently my server started having issues with DNS and FTP
sessions either not resolving or timing out. I've tracked the issue down to
IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away.
I have the basic rules like this for dns;
01160 allow udp from any t
11 matches
Mail list logo
