From: Grant Taylor <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: Troubleshooting stability issue
Date: Fri, 12 Aug 2005 00:14:35 -0500 [thread overview]
Message-ID: <42FC303B.30403@riverviewtech.net> (raw)
In-Reply-To: <1123689748.21756.TMDA@mercury.zynet.net>
Simon Waters wrote:
> One of our firewalls appears to be unstable.
>
> The problems started with adding ip_conntrack and ip_conntrack_ftp, as we need
> to support active mode FTP from inside to the outside.
>
> Prior to this we were using it as a basic port filter (poor iptables), and so
> many of the rules exist to allow return packets without connection tracking.
>
> As such it makes sense for us to "clean-up" the ruleset, but this hasn't
> happened yet.
>
> Due to some interesting (and maybe related?) hardware issues, we've run the
> same firewall configuration on three different servers (all x86, Redhat and
> Debian, IDE and SCSI), including one with the latest (for Debian) 2.6.8
> kernel, and are fairly confident we see the same software issue on all three
> boxes.
>
> Symptom is that by the time we get to it, the box is totally unresponsive to
> local console, is not forwarding packets. In a word "hung".
>
> Memory isn't obviously leaking.
I do not recall what 2.6 kernel it was in, but there was a memory leak that plagued a system that did (extensive?) firewalling / routing in the mid 2.6 kernels. I ran in to this on a system and ended up croning a reboot daily. I have not had time to go back and upgrade the system to a kernel that does not have the memory leak. I am not sure but I think I have 2.6.8 on the box.
> The number of lines in "ip_conntrack" does appear to grow with time, but is
> still way below (at around 3000) the maximum allowed of 32,000+, and isn't
> growing monotonically. I think there may be clues here, if only to what is
> wrong with the ruleset.
>
> Apart from sshd, there is practically nothing running.
> atd
> crond
> inetd (this has nothing configured in /etc/inetd.conf, so I'll remove it).
> Postfix is listening on 127.0.0.1:25 in case anything local suddenly needs to
> report anything to me.
> lpd (lpd was running and not listening on any ports, so I'll remove it).
>
> Just looking for some helpful pointers on how to investigate this issue
> further.
>
> As even with a "suboptimal" rule set I wouldn't expect the box to hang.
> Logs have no useful entries (certainly no "table full" messages).
>
> Don't want to post the full ruleset here, at least not till I've been over it
> with a finetoothed comb. And it is about 230 lines. On the upside quite a lot
> of it has just been obseleted by us relocating all our machines to one site,
> so I can shortly remove large chunks of it.
>
> Simon
Grant. . . .
prev parent reply other threads:[~2005-08-12 5:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-10 16:02 Troubleshooting stability issue Simon Waters
2005-08-11 6:00 ` Jan Engelhardt
2005-08-12 5:14 ` Grant Taylor [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42FC303B.30403@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox