OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Strange ipnat behaviour
From: Gerhard Sittig (Gerhard.Sittiggmx.net)
Date: Fri Aug 11 2000 - 13:05:25 CDT

On Wed, Aug 09, 2000 at 15:39 -0400, Damien Tougas wrote:
>
> [ ... ipnat on FreeBSD 3.4-Stable ... ]
>
> The problem that we are seeing is that for some reason unknown
> to us, nat just stops working. The only way to get it to work
> again is to clear the ipnat tables and rules and re-initialize
> them using the following sequence:
>
> /usr/sbin/ipnat -CF
> /usr/sbin/ipnat -f /etc/rc.nat
>
> After that, everything works just fine.
> The config file we use (rc.nat) is very simple:
>
> map de0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025:65000
> map de0 10.0.0.0/8 -> 0/32

Do you get different ip addresses and then it fails? Your
mapping to 0/32 means "use the interface's address" and won't
work when it's not any longer the address assigned at "ipnat -f"
time. Read "man ipf" and especially watch out for the -y switch.
I had to put something this way into ppp.linkup and ppp.linkdown
to make things work.

> Our first thought was that we might have ran out of ports, but
> we discovered that there were no more than about 3000 sessions
> active at the time.

So the number of ports is not a problem, but is memory? These
3000 sessions have their state to be kept somewhere. Could you
decrease the timeout to handle more connections with the same
amount of RAM?

virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittiggmx.net 

-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message