[ previous ] [ next ] [ threads ]
 
 From:  Jeff Buehler <jeff at buehlertech dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Version 1.22 freeze
 Date:  Fri, 30 Jun 2006 09:47:06 -0700
This may or may not be helpful, but of the 4 somewhat heavily used 
m0n0wall systems I have in place (with no freezes since inception) I use 
DHCP, VPN (IPSECand PPTP), inbound NAT only (no 1:1 or server or 
outbound), no traffic shaping, no wireless, only LAN and WAN interfaces 
(no opt), no proxy, DynDNS or SNMP, and lots of firewall rules.  I allow 
fragmented packets across IPSEC (otherwise remote desktop and Exchange 
choke across IPSEC due to MTU issues - server MTU changes were also 
required down to 1430) and I do allow ICMP through the firewall.

Jeff

Chris Buechler wrote:
> On 6/30/06, Soren Vanggaard Jensen <svanggaard at hotmail dot com> wrote:
>>
>> Also i saw this:
>> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:04.ipfw.asc 
>>
>> I know that the advisory says that only FreeBSD 6.0 is affected - but i
>> assume that the most recent version of ipfw isn't written from scratch.
>>
>
> No, but it is *substantially* changed from what was in 4.11.  There
> are at least twice the features, if not more than that.  There's a
> good 4-5 years of development between much of what's in 4.11 and 6.0,
> with drastic system-wide changes made in 5.x and a lot of polishing in
> 6.0.
>
> 4.11 is still a maintained release that gets *all* security fixes.  So
> is 5.5 (and a few other 4.x and 5.x releases).  It was obviously
> introduced in some new feature or related change added in RELENG_6
> prior to the release of 6.0, otherwise they would have fixed 4.x and
> 5.x releases as well.
>
> Could there be a different issue in ipfw that's causing this?
> Possibly, but there are people that aren't using ipfw at all that have
> the problem.  From what we know at this point, if it even is network
> traffic related, it could be ICMP, TCP, UDP, GRE, or any other IP
> protocol.
>
> FWIW, Aaron emailed me his config.xml off list and he isn't using the
> traffic shaper or captive portal, so ipfw isn't even loaded on his
> problem system (which is by far the most reliable case for software
> issues that I've heard yet - nobody's gone to near the extent that he
> has to rule out hardware).  ipfw is a kernel module that gets
> loaded/unloaded depending on what you have enabled.  It's definitely
> not Aaron's problem.
>
> -Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>