Em 14/10/2011 19:20, Eduardo Schoedler escreveu: > Isso é firewall ou placa com staticarp sem o endereço Mac na tabela arp.
Um Firewall mesmo. > > -- > Eduardo Schoedler > Enviado via iPhone > > > Em 14/10/2011, às 18:51, Alexandre Biancalana<biancal...@gmail.com> escreveu: > >> manda a saida de um vmstat -z >> >> 2011/10/14 Marcelo Gondim<gon...@bsdinfo.com.br>: >>> Em 14/10/2011 12:01, Alexandre Biancalana escreveu: >>>> manda a saida do netstat -mi >>> Opa Alexandre, >>> >>> Aqui vai: >>> >>> (root@seca)[~]# netstat -mi >>> 2050/1415/3465 mbufs in use (current/cache/total) >>> 2048/1326/3374/66560 mbuf clusters in use (current/cache/total/max) >>> 2047/581 mbuf+clusters out of packet secondary zone in use (current/cache) >>> 0/574/574/33280 4k (page size) jumbo clusters in use >>> (current/cache/total/max) >>> 0/0/0/16640 9k jumbo clusters in use (current/cache/total/max) >>> 0/0/0/8320 16k jumbo clusters in use (current/cache/total/max) >>> 4608K/5301K/9910K bytes allocated to network (current/cache/total) >>> 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) >>> 0/0/0 requests for jumbo clusters denied (4k/9k/16k) >>> 0/0/0 sfbufs in use (current/peak/max) >>> 0 requests for sfbufs denied >>> 0 requests for sfbufs delayed >>> 2 requests for I/O initiated by sendfile >>> 0 calls to protocol drain routines >>> >>>> >>>> 2011/10/14<gianru...@gmail.com>: >>>>> E a a tabela de estados foi otimizada? Qtas sessoes você tem aberta qdo >>>>> acontece o erro? >>>>> Rode um pfctl -ss ! Wc -l qdo der o erro >>>>> Enviado pelo meu aparelho BlackBerry® da Vivo >>>>> >>>>> -----Original Message----- >>>>> From: Marcelo Gondim<gon...@bsdinfo.com.br> >>>>> Sender: freebsd-boun...@fug.com.br >>>>> Date: Fri, 14 Oct 2011 09:32:59 >>>>> To: "Lista Brasileira de Discussão sobre Fre eBSD >>>>> (FUG-BR)"<freebsd@fug.com.br> >>>>> Reply-To: Lista Brasileira de Discussão sobre FreeBSD >>>>> (FUG-BR)<freebsd@fug.com.br> >>>>> Subject: Re: [FUG-BR] Res: Re: ping: sendto: Operation not permitted >>>>> >>>>> Em 14/10/2011 00:31, gianru...@gmail.com escreveu: >>>>>> Pf ou ipfw? >>>>> Opa, to usando PF nele mas controlando só o acesso ao próprio Firewall >>>>> porque como é provedor a gente não pode fazer bloqueios de forward para >>>>> os clientes. Só usamos mesmo quando aparece algum ataque ou algo que >>>>> precisamos conter. Fora isso drop nas portas usadas pelo windows e que >>>>> os worms adoram. rsrsrrs >>>>> >>>>>> Enviado pelo meu aparelho BlackBerry® da Vivo >>>>>> >>>>>> -----Original Message----- >>>>>> From: Marcelo Gondim<gon...@bsdinfo.com.br> >>>>>> Sender: freebsd-boun...@fug.com.br >>>>>> Date: Thu, 13 Oct 2011 22:59:02 >>>>>> To: "Lista Brasileira de Discussão sobre Fre eBSD >>>>>> (FUG-BR)"<freebsd@fug.com.br> >>>>>> Reply-To: Lista Brasileira de Discussão sobre FreeBSD >>>>>> (FUG-BR)<freebsd@fug.com.br> >>>>>> Subject: Re: [FUG-BR] ping: sendto: Operation not permitted >>>>>> >>>>>> Em 13/10/2011 18:30, Rodrigo Mosconi escreveu: >>>>>>> Em 13 de outubro de 2011 17:02, Marcelo Gondim<gon...@bsdinfo.com.br> >>>>>>> escreveu: >>>>>>>> Pessoal, >>>>>>>> >>>>>>>> Hoje aconteceu algo estranho aqui no Firewall, algo que não havia >>>>>>>> percebido antes mas que pode estar relacionado com a falta de >>>>>>>> performance em algumas ocasiões. >>>>>>>> Do nada o acesso aos servidores ficaram com muita perda e todos eles >>>>>>>> passam pelo Firewall. Envio e consulta de e-mails travando e tal. >>>>>>>> >>>>>>>> Quando me loguei no Firewall e tentei pingar alguns lugares tanto >>>>>>>> externos quanto na minha própria rede local algumas vezes pingava e >>>>>>>> outras aparecia a mensagem abaixo: >>>>>>>> >>>>>>>> ping: sendto: Operation not permitted >>>>>>>> >>>>>>>> Essa mensagem aparecia algumas vezes como resposta do ping e logo em >>>>>>>> seguida continuava à pingar normal. >>>>>>>> >>>>>>>> Não vi nada no dmesg e nem no messages relacionado à esse problema e >>>>>>>> procurando na sysctl não vi nenhum limite no icmp: >>>>>>>> >>>>>>>> (root@seca)[~]# sysctl -a|grep icmp >>>>>>>> net.inet.icmp.maskrepl: 0 >>>>>>>> net.inet.icmp.icmplim: 0 >>>>>>>> net.inet.icmp.bmcastecho: 0 >>>>>>>> net.inet.icmp.quotelen: 8 >>>>>>>> net.inet.icmp.reply_from_interface: 0 >>>>>>>> net.inet.icmp.reply_src: >>>>>>>> net.inet.icmp.icmplim_output: 0 >>>>>>>> net.inet.icmp.log_redirect: 0 >>>>>>>> net.inet.icmp.drop_redirect: 1 >>>>>>>> net.inet.icmp.maskfake: 0 >>>>>>>> net.inet.tcp.icmp_may_rst: 1 >>>>>>>> net.inet6.icmp6.rediraccept: 1 >>>>>>>> net.inet6.icmp6.redirtimeout: 600 >>>>>>>> net.inet6.icmp6.nd6_prune: 1 >>>>>>>> net.inet6.icmp6.nd6_delay: 5 >>>>>>>> net.inet6.icmp6.nd6_umaxtries: 3 >>>>>>>> net.inet6.icmp6.nd6_mmaxtries: 3 >>>>>>>> net.inet6.icmp6.nd6_useloopback: 1 >>>>>>>> net.inet6.icmp6.nodeinfo: 3 >>>>>>>> net.inet6.icmp6.errppslimit: 100 >>>>>>>> net.inet6.icmp6.nd6_maxnudhint: 0 >>>>>>>> net.inet6.icmp6.nd6_debug: 0 >>>>>>>> net.inet6.icmp6.nd6_maxqueuelen: 1 >>>>>>>> net.inet6.icmp6.nd6_onlink_ns_rfc4861: 0 >>>>>>>> >>>>>>>> Tentei no google e achei algumas coisas vagas relacionadas ao PF. O >>>>>>>> fato >>>>>>>> é que após um reboot do Firewall tudo normalizou. >>>>>>>> Alguém tem alguma idéia? O estranho é que o sistema se desestabilizou >>>>>>>> todo e só com um reboot que voltou à funcionar. Depois vi que podia ter >>>>>>>> feito um disable no PF pra ver se ele era o causador mas já havia >>>>>>>> re-iniciado o sistema. Próxima vez tentarei isso antes. >>>>>>>> >>>>>>>> []´s à todos >>>>>>>> ------------------------- >>>>>>>> Histórico: http://www.fug.com.br/historico/html/freebsd/ >>>>>>>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >>>>>>>> >>>>>>> sysctl net.inet? >>>>>>> >>>>>> Opa Rodrigo, >>>>>> >>>>>> O tráfego nesse Firewall é de 160 à 200Mbps. O Firewall está stateless >>>>>> no forward dos pacotes. >>>>>> >>>>>> net.inet.ip.portrange.randomtime: 45 >>>>>> net.inet.ip.portrange.randomcps: 10 >>>>>> net.inet.ip.portrange.randomized: 1 >>>>>> net.inet.ip.portrange.reservedlow: 0 >>>>>> net.inet.ip.portrange.reservedhigh: 1023 >>>>>> net.inet.ip.portrange.hilast: 65535 >>>>>> net.inet.ip.portrange.hifirst: 49152 >>>>>> net.inet.ip.portrange.last: 65535 >>>>>> net.inet.ip.portrange.first: 10000 >>>>>> net.inet.ip.portrange.lowlast: 600 >>>>>> net.inet.ip.portrange.lowfirst: 1023 >>>>>> net.inet.ip.forwarding: 1 >>>>>> net.inet.ip.redirect: 0 >>>>>> net.inet.ip.ttl: 64 >>>>>> net.inet.ip.rtexpire: 3600 >>>>>> net.inet.ip.rtminexpire: 10 >>>>>> net.inet.ip.rtmaxcache: 128 >>>>>> net.inet.ip.sourceroute: 0 >>>>>> net.inet.ip.intr_queue_maxlen: 256 >>>>>> net.inet.ip.intr_queue_drops: 0 >>>>>> net.inet.ip.accept_sourceroute: 0 >>>>>> net.inet.ip.keepfaith: 0 >>>>>> net.inet.ip.gifttl: 30 >>>>>> net.inet.ip.same_prefix_carp_only: 0 >>>>>> net.inet.ip.subnets_are_local: 0 >>>>>> net.inet.ip.random_id_total: 0 >>>>>> net.inet.ip.random_id_collisions: 0 >>>>>> net.inet.ip.random_id_period: 8192 >>>>>> net.inet.ip.mcast.loop: 1 >>>>>> net.inet.ip.mcast.maxsocksrc: 128 >>>>>> net.inet.ip.mcast.maxgrpsrc: 512 >>>>>> net.inet.ip.dummynet.io_pkt_drop: 0 >>>>>> net.inet.ip.dummynet.io_pkt_fast: 0 >>>>>> net.inet.ip.dummynet.io_pkt: 0 >>>>>> net.inet.ip.dummynet.queue_count: 0 >>>>>> net.inet.ip.dummynet.fsk_count: 0 >>>>>> net.inet.ip.dummynet.si_count: 0 >>>>>> net.inet.ip.dummynet.schk_count: 0 >>>>>> net.inet.ip.dummynet.tick_lost: 0 >>>>>> net.inet.ip.dummynet.tick_diff: -1704 >>>>>> net.inet.ip.dummynet.tick_adjustment: 47142177 >>>>>> net.inet.ip.dummynet.tick_delta_sum: 84 >>>>>> net.inet.ip.dummynet.tick_delta: 666 >>>>>> net.inet.ip.dummynet.red_max_pkt_size: 1500 >>>>>> net.inet.ip.dummynet.red_avg_pkt_size: 512 >>>>>> net.inet.ip.dummynet.red_lookup_depth: 256 >>>>>> net.inet.ip.dummynet.expire_cycle: 0 >>>>>> net.inet.ip.dummynet.expire: 1 >>>>>> net.inet.ip.dummynet.debug: 0 >>>>>> net.inet.ip.dummynet.io_fast: 0 >>>>>> net.inet.ip.dummynet.pipe_byte_limit: 1048576 >>>>>> net.inet.ip.dummynet.pipe_slot_limit: 100 >>>>>> net.inet.ip.dummynet.hash_size: 64 >>>>>> net.inet.ip.fastforwarding: 1 >>>>>> net.inet.ip.fw.static_count: 1 >>>>>> net.inet.ip.fw.default_to_accept: 1 >>>>>> net.inet.ip.fw.tables_max: 128 >>>>>> net.inet.ip.fw.default_rule: 65535 >>>>>> net.inet.ip.fw.verbose_limit: 100 >>>>>> net.inet.ip.fw.verbose: 1 >>>>>> net.inet.ip.fw.autoinc_step: 100 >>>>>> net.inet.ip.fw.one_pass: 1 >>>>>> net.inet.ip.fw.dyn_keepalive: 1 >>>>>> net.inet.ip.fw.dyn_short_lifetime: 10 >>>>>> net.inet.ip.fw.dyn_udp_lifetime: 10 >>>>>> net.inet.ip.fw.dyn_rst_lifetime: 1 >>>>>> net.inet.ip.fw.dyn_fin_lifetime: 2 >>>>>> net.inet.ip.fw.dyn_syn_lifetime: 10 >>>>>> net.inet.ip.fw.dyn_ack_lifetime: 120 >>>>>> net.inet.ip.fw.dyn_max: 65536 >>>>>> net.inet.ip.fw.dyn_count: 0 >>>>>> net.inet.ip.fw.curr_dyn_buckets: 256 >>>>>> net.inet.ip.fw.dyn_buckets: 65536 >>>>>> net.inet.ip.fw.enable: 1 >>>>>> net.inet.ip.maxfragpackets: 2080 >>>>>> net.inet.ip.stealth: 0 >>>>>> net.inet.ip.maxfragsperpacket: 16 >>>>>> net.inet.ip.fragpackets: 1 >>>>>> net.inet.ip.check_interface: 0 >>>>>> net.inet.ip.random_id: 0 >>>>>> net.inet.ip.sendsourcequench: 0 >>>>>> net.inet.ip.process_options: 1 >>>>>> net.inet.ip.alias.sctp.track_global_addresses: 0 >>>>>> net.inet.ip.alias.sctp.param_proc_limit: 25 >>>>>> net.inet.ip.alias.sctp.chunk_proc_limit: 5 >>>>>> net.inet.ip.alias.sctp.initialising_chunk_proc_limit: 2 >>>>>> net.inet.ip.alias.sctp.accept_global_ootb_addip: 0 >>>>>> net.inet.ip.alias.sctp.error_on_ootb: 1 >>>>>> net.inet.ip.alias.sctp.hashtable_size: 2003 >>>>>> net.inet.ip.alias.sctp.holddown_timer: 0 >>>>>> net.inet.ip.alias.sctp.shutdown_timer: 15 >>>>>> net.inet.ip.alias.sctp.up_timer: 300 >>>>>> net.inet.ip.alias.sctp.init_timer: 15 >>>>>> net.inet.ip.alias.sctp.log_level: 0 >>>>>> net.inet.icmp.maskrepl: 0 >>>>>> net.inet.icmp.icmplim: 0 >>>>>> net.inet.icmp.bmcastecho: 0 >>>>>> net.inet.icmp.quotelen: 8 >>>>>> net.inet.icmp.reply_from_interface: 0 >>>>>> net.inet.icmp.reply_src: >>>>>> net.inet.icmp.icmplim_output: 0 >>>>>> net.inet.icmp.log_redirect: 0 >>>>>> net.inet.icmp.drop_redirect: 1 >>>>>> net.inet.icmp.maskfake: 0 >>>>>> net.inet.igmp.gsrdelay: 10 >>>>>> net.inet.igmp.default_version: 3 >>>>>> net.inet.igmp.legacysupp: 0 >>>>>> net.inet.igmp.v2enable: 1 >>>>>> net.inet.igmp.v1enable: 1 >>>>>> net.inet.igmp.sendlocal: 1 >>>>>> net.inet.igmp.sendra: 1 >>>>>> net.inet.igmp.recvifkludge: 1 >>>>>> net.inet.ipip.ipip_allow: 0 >>>>>> net.inet.tcp.rfc1323: 1 >>>>>> net.inet.tcp.mssdflt: 512 >>>>>> net.inet.tcp.keepidle: 7200000 >>>>>> net.inet.tcp.keepintvl: 75000 >>>>>> net.inet.tcp.sendspace: 32768 >>>>>> net.inet.tcp.recvspace: 65536 >>>>>> net.inet.tcp.keepinit: 75000 >>>>>> net.inet.tcp.delacktime: 100 >>>>>> net.inet.tcp.v6mssdflt: 1024 >>>>>> net.inet.tcp.hostcache.purge: 0 >>>>>> net.inet.tcp.hostcache.prune: 300 >>>>>> net.inet.tcp.hostcache.expire: 3600 >>>>>> net.inet.tcp.hostcache.count: 14 >>>>>> net.inet.tcp.hostcache.bucketlimit: 30 >>>>>> net.inet.tcp.hostcache.hashsize: 512 >>>>>> net.inet.tcp.hostcache.cachelimit: 15360 >>>>>> net.inet.tcp.read_locking: 1 >>>>>> net.inet.tcp.recvbuf_max: 262144 >>>>>> net.inet.tcp.recvbuf_inc: 16384 >>>>>> net.inet.tcp.recvbuf_auto: 1 >>>>>> net.inet.tcp.insecure_rst: 0 >>>>>> net.inet.tcp.ecn.maxretries: 1 >>>>>> net.inet.tcp.ecn.enable: 0 >>>>>> net.inet.tcp.abc_l_var: 2 >>>>>> net.inet.tcp.rfc3465: 1 >>>>>> net.inet.tcp.rfc3390: 1 >>>>>> net.inet.tcp.rfc3042: 1 >>>>>> net.inet.tcp.drop_synfin: 1 >>>>>> net.inet.tcp.delayed_ack: 1 >>>>>> net.inet.tcp.blackhole: 0 >>>>>> net.inet.tcp.log_in_vain: 0 >>>>>> net.inet.tcp.sendbuf_max: 262144 >>>>>> net.inet.tcp.sendbuf_inc: 8192 >>>>>> net.inet.tcp.sendbuf_auto: 1 >>>>>> net.inet.tcp.tso: 1 >>>>>> net.inet.tcp.newreno: 1 >>>>>> net.inet.tcp.local_slowstart_flightsize: 4 >>>>>> net.inet.tcp.slowstart_flightsize: 1 >>>>>> net.inet.tcp.path_mtu_discovery: 1 >>>>>> net.inet.tcp.reass.overflows: 0 >>>>>> net.inet.tcp.reass.cursegments: 0 >>>>>> net.inet.tcp.reass.maxsegments: 4200 >>>>>> net.inet.tcp.sack.globalholes: 0 >>>>>> net.inet.tcp.sack.globalmaxholes: 65536 >>>>>> net.inet.tcp.sack.maxholes: 128 >>>>>> net.inet.tcp.sack.enable: 1 >>>>>> net.inet.tcp.signature_verify_input: 1 >>>>>> net.inet.tcp.inflight.stab: 20 >>>>>> net.inet.tcp.inflight.max: 1073725440 >>>>>> net.inet.tcp.inflight.min: 6144 >>>>>> net.inet.tcp.inflight.rttthresh: 10 >>>>>> net.inet.tcp.inflight.debug: 0 >>>>>> net.inet.tcp.inflight.enable: 0 >>>>>> net.inet.tcp.isn_reseed_interval: 0 >>>>>> net.inet.tcp.icmp_may_rst: 1 >>>>>> net.inet.tcp.pcbcount: 16 >>>>>> net.inet.tcp.do_tcpdrain: 1 >>>>>> net.inet.tcp.tcbhashsize: 512 >>>>>> net.inet.tcp.log_debug: 0 >>>>>> net.inet.tcp.minmss: 216 >>>>>> net.inet.tcp.syncache.rst_on_sock_fail: 1 >>>>>> net.inet.tcp.syncache.rexmtlimit: 3 >>>>>> net.inet.tcp.syncache.hashsize: 512 >>>>>> net.inet.tcp.syncache.count: 0 >>>>>> net.inet.tcp.syncache.cachelimit: 15360 >>>>>> net.inet.tcp.syncache.bucketlimit: 30 >>>>>> net.inet.tcp.syncookies_only: 0 >>>>>> net.inet.tcp.syncookies: 1 >>>>>> net.inet.tcp.timer_race: 0 >>>>>> net.inet.tcp.finwait2_timeout: 60000 >>>>>> net.inet.tcp.fast_finwait2_recycle: 0 >>>>>> net.inet.tcp.always_keepalive: 1 >>>>>> net.inet.tcp.rexmit_slop: 200 >>>>>> net.inet.tcp.rexmit_min: 30 >>>>>> net.inet.tcp.msl: 3000 >>>>>> net.inet.tcp.nolocaltimewait: 0 >>>>>> net.inet.tcp.maxtcptw: 13312 >>>>>> net.inet.udp.checksum: 1 >>>>>> net.inet.udp.maxdgram: 9216 >>>>>> net.inet.udp.recvspace: 42080 >>>>>> net.inet.udp.blackhole: 0 >>>>>> net.inet.udp.log_in_vain: 0 >>>>>> net.inet.esp.esp_enable: 1 >>>>>> net.inet.ah.ah_cleartos: 1 >>>>>> net.inet.ah.ah_enable: 1 >>>>>> net.inet.ipcomp.ipcomp_enable: 1 >>>>>> net.inet.carp.allow: 1 >>>>>> net.inet.carp.preempt: 0 >>>>>> net.inet.carp.log: 1 >>>>>> net.inet.carp.arpbalance: 0 >>>>>> net.inet.carp.suppress_preempt: 0 >>>>>> net.inet.ipsec.def_policy: 1 >>>>>> net.inet.ipsec.esp_trans_deflev: 1 >>>>>> net.inet.ipsec.esp_net_deflev: 1 >>>>>> net.inet.ipsec.ah_trans_deflev: 1 >>>>>> net.inet.ipsec.ah_net_deflev: 1 >>>>>> net.inet.ipsec.ah_cleartos: 1 >>>>>> net.inet.ipsec.ah_offsetmask: 0 >>>>>> net.inet.ipsec.dfbit: 0 >>>>>> net.inet.ipsec.ecn: 0 >>>>>> net.inet.ipsec.debug: 0 >>>>>> net.inet.ipsec.filtertunnel: 0 >>>>>> net.inet.ipsec.crypto_support: 50331648 >>>>>> net.inet.raw.recvspace: 9216 >>>>>> net.inet.raw.maxdgram: 9216 >>>>>> net.inet.accf.unloadable: 0 >>>>>> net.inet.accf.http.parsehttpversion: 1 >>>>>> ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
