[ previous ] [ next ] [ threads ]
 
 From:  "Soren Vanggaard Jensen" <svanggaard at hotmail dot com>
 To:  jurgenvv at xs4all dot nl, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Version 1.22 freeze
 Date:  Fri, 30 Jun 2006 13:02:14 +0000
I would guess, that almost all monos are connected directly to the internet. 
That is, i doubt that the problem is caused by random external traffic. 
Also, with the exception og WAN ICMP echo allowed, ICMP/IP is typically 
blocked on the WAN interface. Also i doubt that the problem startet 
inbetween 4.11-RELEASE-p13 and 4.11-RELEASE-p16. I believe that older 
monowalls had the problem also.

One thing that does vary btw. installations is data fragmentation. All the 
monowalls that i've installed are (by coincidence) connected to the same 
ITSP and has almost the same configuration. At the same time i have only 1 
instance giving me problems. It has to be something in that particular LAN 
that causes the problems.

Do any of you guys have a suggestion for an ICMP test tool? I'd like to 
bombard monowall (or a random internet host through monowall) with strange 
ICMP traffic.


BR






>From: "Jurgen van Vliet" <jurgenvv at xs4all dot nl>
>To: <m0n0wall at lists dot m0n0 dot ch>
>Subject: RE: [m0n0wall] Version 1.22 freeze
>Date: Fri, 30 Jun 2006 14:00:06 +0200
>
>Only minor differences
>
>Well, the one thats freezing up is located on Aruba , with a adsl line on
>uit ..
>All others I got running are here in Holland. (might explain why I cannot 
>go
>check it out easy :)
>I can try it with a smaller MTU maybe ?
>
>I think your feeling points in the right direction, all freezing reports I
>seen are always with a internet connection to the m0n0 right ?
>Must be something like that, some kind of external traffic makes it
>freeze...
>
>The base of went from FreeBSD 4.11-RELEASE-p13 to 4.11-RELEASE-p16 , maybe
>we can track something down in the bsd changelog ?
>
>Regards,
>Jurgen van Vliet
>[WAN]GlowDog on freenode IRC
>
>-----Original Message-----
>From: Soren Vanggaard Jensen [mailto:svanggaard at hotmail dot com]
>Sent: vrijdag 30 juni 2006 10:59
>To: jurgenvv at xs4all dot nl; m0n0wall at lists dot m0n0 dot ch
>Subject: RE: [m0n0wall] Version 1.22 freeze
>
>I assume that your mono's are more or less configured the same way....
>
>
>so... what's the difference between the networks at the customer premises?
>Well - my gues is that IP and/or ICMP fragmentation (and perhaps MTU) is
>different in the problem site. Is there any way you could check this?
>
>
>BR

>
>
>
>
>
> >From: "Jurgen van Vliet" <jurgenvv at xs4all dot nl>
> >To: <m0n0wall at lists dot m0n0 dot ch>
> >Subject: RE: [m0n0wall] Version 1.22 freeze
> >Date: Fri, 30 Jun 2006 10:15:40 +0200
> >
> >Yep, at one customer on a wrap board
> >I have +- 20-30 more wrap units running with 1.22 without problems.
> >
> >Jurgen.
> >
> >-----Original Message-----
> >From: Soren Vanggaard Jensen [mailto:svanggaard at hotmail dot com]
> >Sent: vrijdag 30 juni 2006 10:09
> >To: jurgenvv at xs4all dot nl; m0n0wall at lists dot m0n0 dot ch
> >Subject: RE: [m0n0wall] Version 1.22 freeze
> >
> >Are you having freeze problems?
> >
> >
> >BR

> >
> >
> >
> >
> >
> > >From: "Jurgen van Vliet" <jurgenvv at xs4all dot nl>
> > >To: <m0n0wall at lists dot m0n0 dot ch>
> > >Subject: RE: [m0n0wall] Version 1.22 freeze
> > >Date: Fri, 30 Jun 2006 09:59:10 +0200
> > >

> > >
> > >In this case icmp traffic is allowed between lan and wan, and between
> > >opt and wan Hope it helps.
> > >
> > >Regards,
> > >
> > >Jurgen
> > >
> > >-----Original Message-----
> > >From: Soren Vanggaard Jensen [mailto:svanggaard at hotmail dot com]
> > >Sent: vrijdag 30 juni 2006 7:33
> > >To: leesharp at hal dash pc dot org; m0n0wall at lists dot m0n0 dot ch
> > >Subject: Re: [m0n0wall] Version 1.22 freeze
> > >
> > >
> > >Hi All,
> > >
> > >I have a gut feeling that the lockup problem is caused by ICMP traffic.
> > >I have no hard evidence but...
> > >
> > >A year ago i had a problem with a older version of monowall. The same
> > >problem went on for more than 4 months and for 3+ hardware setups. Back
> > >then, the problem suddently disappeared. The only thing that i can
> > >think of is that i removed all ICMP related traffic shaping rules.
> > >
> > >Also i saw this:
> > >ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:04.ipfw
> > >.asc I know that the advisory says that only FreeBSD 6.0 is affected -
> > >but i assume that the most recent version of ipfw isn't written from
> > >scratch.
> > >
> > >Right now i have a monowall installation that freequently freezes. This
> > >particular installation has no ICMP traffic shaping rules, but ICMP
> > >traffic is permitted for specific hosts.
> > >
> > >I'd like to ask you guys how youre handling ICMP traffic... If your
> > >monowall freezes up - do you allow ICMP traffic or not? If your
> > >monowall never freezes - do you allow ICMP traffic or not?
> > >
> > >BR

> > >
> > >
> > >
> > >
> > >
> > > >From: "Lee Sharp" <leesharp at hal dash pc dot org>
> > > >To: <m0n0wall at lists dot m0n0 dot ch>
> > > >Subject: Re: [m0n0wall] Version 1.22 freeze
> > > >Date: Thu, 29 Jun 2006 11:18:20 -0500
> > > >
> > > >From: "Aaron Cherman" <aaronc at morad dot ab dot ca>
> > > >
> > > >>>For all following this thread, I have just finished a fresh install
> > > >>>and config of m0n0 1.22 on one of three new Dell PowerEdge 1850
> > > >>>servers, running off of a USB flash drive.  I plan on putting this
> > > >>>unit into production tomorrow afternoon.  I will let you know how
> > > >>>it
> > >goes.
> > > >
> > > >>And the saga continues...  I didn't have chance yesterday to make
> > > >>the change to the Dell server so I let things run and was going to
> > > >>make the change today.  After just over 9 days uptime the existing
> > > >>box locked up last night at 12:26 am.  By the time I got the alarm,
> > > >>got to the office and got everything changed over, we were back up
> > > >>and running on the new server at 12:55 am.  At 8:06 am today, the
> > > >>Dell server locks up.  If I do the math right that's 7:11 of uptime.
> > > >>Again, this config is one built from scratch on 1.22, brand new
> > > >>server out of the box.  This now makes (I
> > > >>think) 6 different hardware platforms I've tried (all of which work
> > > >>great in my other m0n0 apps).  None of these hardware platforms have
> > > >>shared ANY of the same components, they are all unique.
> > > >
> > > >I feel your pain.  How about this...  You have plenty of hardware, so
> > > >set up a m0n0wall in front of your m0n0wall.  Have it do nothing.
> > > >(No VPN, traffic shaping...  Just basic firewall, routing/NAT and
> > > >forwarding)  Put all the heaving lifting on the inside firewall.  See
> > > >what crashes.  Move apps from inside to outside, and see when the
> > > >crash moves.  If you end up with everything on the outside firewall,
> > > >it is some internal "poison packet" killing you.  If it dies with
> > > >nothing, it is an external "poison packet."
> > > >
> > > >                                    Lee
> > > >
> > > >
> > > >---------------------------------------------------------------------
> > > >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > > >
> > >
> > >
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> >
> >
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>