This may or may not be helpful, but of the 4 somewhat heavily used
m0n0wall systems I have in place (with no freezes since inception) I use
DHCP, VPN (IPSECand PPTP), inbound NAT only (no 1:1 or server or
outbound), no traffic shaping, no wireless, only LAN and WAN interfaces
(no opt), no proxy, DynDNS or SNMP, and lots of firewall rules. I allow
fragmented packets across IPSEC (otherwise remote desktop and Exchange
choke across IPSEC due to MTU issues - server MTU changes were also
required down to 1430) and I do allow ICMP through the firewall.
Chris Buechler wrote:
> On 6/30/06, Soren Vanggaard Jensen <svanggaard at hotmail dot com> wrote:
>> Also i saw this:
>> I know that the advisory says that only FreeBSD 6.0 is affected - but i
>> assume that the most recent version of ipfw isn't written from scratch.
> No, but it is *substantially* changed from what was in 4.11. There
> are at least twice the features, if not more than that. There's a
> good 4-5 years of development between much of what's in 4.11 and 6.0,
> with drastic system-wide changes made in 5.x and a lot of polishing in
> 4.11 is still a maintained release that gets *all* security fixes. So
> is 5.5 (and a few other 4.x and 5.x releases). It was obviously
> introduced in some new feature or related change added in RELENG_6
> prior to the release of 6.0, otherwise they would have fixed 4.x and
> 5.x releases as well.
> Could there be a different issue in ipfw that's causing this?
> Possibly, but there are people that aren't using ipfw at all that have
> the problem. From what we know at this point, if it even is network
> traffic related, it could be ICMP, TCP, UDP, GRE, or any other IP
> FWIW, Aaron emailed me his config.xml off list and he isn't using the
> traffic shaper or captive portal, so ipfw isn't even loaded on his
> problem system (which is by far the most reliable case for software
> issues that I've heard yet - nobody's gone to near the extent that he
> has to rule out hardware). ipfw is a kernel module that gets
> loaded/unloaded depending on what you have enabled. It's definitely
> not Aaron's problem.
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch