RE: Problems with IPFW causing failed DNS and FTP sessions

2013-04-01 Thread Don O'Neil
rnally to IPFW? Thanks! -Original Message- From: Michael Sierchio [mailto:ku...@tenebras.com] Sent: Monday, April 01, 2013 7:23 AM To: Don O'Neil Cc: freebsd-questions@freebsd.org Subject: Re: Problems with IPFW causing failed DNS and FTP sessions Okay, what's your DNS setup? Are you

Re: Problems with IPFW causing failed DNS and FTP sessions

2013-04-01 Thread Michael Sierchio
Okay, what's your DNS setup? Are you running a recursive cache that contacts the root servers directly? Using your ISP's servers? Etc. As a mitigation step, I tried pointing my caches to 8.8.8.8 and 8.8.4.4. - but it turns out that Google is intentionally blocking (returning NX responses to) ma

RE: Problems with IPFW causing failed DNS and FTP sessions

2013-04-01 Thread Don O'Neil
- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Michael Sierchio Sent: Sunday, March 31, 2013 10:04 PM To: Don O'Neil Cc: freebsd-questions@freebsd.org Subject: Re: Problems with IPFW causing failed DNS and FTP sessions net.inet.ip.fw.dyn

Re: Problems with IPFW causing failed DNS and FTP sessions

2013-03-31 Thread Michael Sierchio
net.inet.ip.fw.dyn_short_lifetime ? net.inet.ip.fw.dyn_udp_lifetime ? You might want to increase these, given the current state of things... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To uns

Re: Problems with IPFW causing failed DNS and FTP sessions

2013-03-31 Thread Michael Sierchio
On Sun, Mar 31, 2013 at 9:39 PM, Michael Powell wrote: > I'm probably not smart enough to be able to help directly with your problem > but I'd like to add that there is a snowballing DNS Amplification ddos > attack against SpamHaus going on which is spilling over Yes, this is very much true. Th

Re: Problems with IPFW causing failed DNS and FTP sessions

2013-03-31 Thread Michael Sierchio
l just recently. I've checked my interface stats to make sure > there aren't a bunch of fragmented packets or errors, and there aren't. I'm > not running NAT, it's a publically accessible IP address. > > -Original Message- > From: Michael Sierchio [mailto:ku...@tene

Re: Problems with IPFW causing failed DNS and FTP sessions

2013-03-31 Thread Michael Powell
Don O'Neil wrote: > Hi everyone. recently my server started having issues with DNS and FTP > sessions either not resolving or timing out. I've tracked the issue down > to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go > away. > [snip] I'm probably not smart enough to be ab

RE: Problems with IPFW causing failed DNS and FTP sessions

2013-03-31 Thread Don O'Neil
gmented packets or errors, and there aren't. I'm not running NAT, it's a publically accessible IP address. -Original Message- From: Michael Sierchio [mailto:ku...@tenebras.com] Sent: Sunday, March 31, 2013 8:58 PM To: Don O'Neil Cc: freebsd-questions@freebsd.org Subject:

Re: Problems with IPFW causing failed DNS and FTP sessions

2013-03-31 Thread Michael Sierchio
It would be really helpful if you'd post the ruleset. At first glance, your stateful rules seem rather wrong, unless there's a check-state above. Also, in and out aren't discriminating enough - every packet is seen by the ruleset more than once. You should think in terms of interfaces, direction