I have a gut feeling that the lockup problem is caused by ICMP traffic. I
have no hard evidence but...
A year ago i had a problem with a older version of monowall. The same
problem went on for more than 4 months and for 3+ hardware setups. Back
then, the problem suddently disappeared. The only thing that i can think of
is that i removed all ICMP related traffic shaping rules.
Also i saw this:
I know that the advisory says that only FreeBSD 6.0 is affected - but i
assume that the most recent version of ipfw isn't written from scratch.
Right now i have a monowall installation that freequently freezes. This
particular installation has no ICMP traffic shaping rules, but ICMP traffic
is permitted for specific hosts.
I'd like to ask you guys how youre handling ICMP traffic... If your monowall
freezes up - do you allow ICMP traffic or not? If your monowall never
freezes - do you allow ICMP traffic or not?
>From: "Lee Sharp" <leesharp at hal dash pc dot org>
>To: <m0n0wall at lists dot m0n0 dot ch>
>Subject: Re: [m0n0wall] Version 1.22 freeze
>Date: Thu, 29 Jun 2006 11:18:20 -0500
>From: "Aaron Cherman" <aaronc at morad dot ab dot ca>
>>>For all following this thread, I have just finished a fresh install and
>>>config of m0n0 1.22 on one of three new Dell PowerEdge 1850 servers,
>>>running off of a USB flash drive. I plan on putting this unit into
>>>production tomorrow afternoon. I will let you know how it goes.
>>And the saga continues... I didn't have chance yesterday to make the
>>change to the Dell server so I let things run and was going to make the
>>change today. After just over 9 days uptime the existing box locked up
>>last night at 12:26 am. By the time I got the alarm, got to the office
>>and got everything changed over, we were back up and running on the new
>>server at 12:55 am. At 8:06 am today, the Dell server locks up. If I do
>>the math right that's 7:11 of uptime. Again, this config is one built
>>from scratch on 1.22, brand new server out of the box. This now makes (I
>>think) 6 different hardware platforms I've tried (all of which work great
>>in my other m0n0 apps). None of these hardware platforms have shared ANY
>>of the same components, they are all unique.
>I feel your pain. How about this... You have plenty of hardware, so set
>up a m0n0wall in front of your m0n0wall. Have it do nothing. (No VPN,
>traffic shaping... Just basic firewall, routing/NAT and forwarding) Put
>all the heaving lifting on the inside firewall. See what crashes. Move
>apps from inside to outside, and see when the crash moves. If you end up
>with everything on the outside firewall, it is some internal "poison
>packet" killing you. If it dies with nothing, it is an external "poison
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch