ifconfig gif0 create freezes FreeBSD 9

Hello,

I use sixxs-aiccu to build a tunnel to the ipv6 network, what was working before, suddenly it stops working and I don't know why, I can see a process in ps aux of ifconfig(8) what is 'hanging' when I try to manually create the gif0 interface my ssh session freezes and I need to login again. I already tried to deinstall and reinstall the aiccu-sixxs package from the ports tree.

Code:
[root@server /home/donald]# uname -a
FreeBSD server.f******r.com 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
[root@server /home/donald]#
top gives me:
Code:
last pid:  5547;  load averages:  1.04,  1.03,  1.00                                                                                                                                                                 up 0+06:17:36  
23:05:28
76 processes:  2 running, 74 sleeping
CPU:  0.0% user,  0.0% nice, 25.1% system,  0.0% interrupt, 74.9% idle
Mem: 482M Active, 178M Inact, 293M Wired, 6928K Cache, 244M Buf, 2965M Free
Swap: 4096M Total, 4096M Free

  PID USERNAME       THR PRI NICE   SIZE    RES STATE   C   TIME   WCPU COMMAND
 1863 root             1  31    0 18436K  1468K CPU3    3 373:35 100.00% ifconfig
Code:
[root@server /home/donald]# ps aux|grep ifconfig
root        1863 100.0  0.0  18436   1468  ??  R     4:49PM  373:35.44 /sbin/ifconfig gif0 create
root        5512   0.0  0.0  16424   1520   0  R+   11:03PM    0:00.00 grep ifconfig
[root@server /home/donald]#
ifconfig gives me (ip masked with asterix):
Code:
[root@server /home/donald]# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:23:cd:b0:f3:74
        inet 213.126.*.114 netmask 0xfffffff8 broadcast 213.126.*.119
        inet6 fe80::223:cdff:feb0:f374%re0 prefixlen 64 scopeid 0x2
        inet 213.126.*.115 netmask 0xfffffff8 broadcast 213.126.*.119
        inet 213.126.*.116 netmask 0xfffffff8 broadcast 213.126.*.119
        inet 213.126.*.117 netmask 0xfffffff8 broadcast 213.126.*.119
        inet 213.126.*.118 netmask 0xfffffff8 broadcast 213.126.*.119
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect <flowcontrol> (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
        status: active
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:23:cd:b0:ba:d8
        inet 192.168.0.1 netmask 0xffffffe0 broadcast 192.168.0.31
        inet6 fe80::223:cdff:feb0:bad8%re1 prefixlen 64 scopeid 0x3
        inet6 2001:838:34c::1 prefixlen 64
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect <flowcontrol> (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
[root@server /home/donald]#

What could be wrong?

Any help would be greatly appreciated...

Regards,
Donald.
 
Your interface aliases on re0 look wrong to me. Try changing them so that only the first address .114 uses the 0xfffffff8 netmask and the rest are configured with 0xffffffff netmask.
 
Subnet Alias IP's

Should the subnet of aliased ip's always be 0xffffffff??
My isp is routing the subnet 213.126.*.112 netmask 255.255.255.248 through a vpn router (netsreen srx) to my freebsd server, it's all coming in on one interface.
The isp has given the netmask of 255.255.255.248 to me for use of that subnet, shouldn't i use that on the aliased ip's too?
Could that be the problem why the gif0 interface hangs when creating it? it worked before...

Regards,
Donald.
 
Netmasks on aliases should be 255.255.255.255 but I don't think that's the reason of the hanging system though. Not really sure what's causing that.
 
Hangs

Okay i changed that now, so it looks like:

Code:
[root@server /]# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:23:cd:b0:f3:74
        inet 213.126.*.114 netmask 0xfffffff8 broadcast 213.126.*.119
        inet6 fe80::223:cdff:feb0:f374%re0 prefixlen 64 scopeid 0x2
        inet 213.126.*.115 netmask 0xffffffff broadcast 213.126.*.119
        inet 213.126.*.116 netmask 0xffffffff broadcast 213.126.*.119
        inet 213.126.*.117 netmask 0xffffffff broadcast 213.126.*.119
        inet 213.126.*.118 netmask 0xffffffff broadcast 213.126.*.119
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect <flowcontrol> (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
        status: active
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:23:cd:b0:ba:d8
        inet 192.168.0.1 netmask 0xffffffe0 broadcast 192.168.0.31
        inet6 fe80::223:cdff:feb0:bad8%re1 prefixlen 64 scopeid 0x3
        inet6 2001:838:34c::1 prefixlen 64
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect <flowcontrol> (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
[root@server /]# ls
But as you said it makes no difference of the 'hanging' process of ifconfig gif0 create...
How can i research it why it hangs? where to start? any suggestions?
 
Some ideas (without knowing anything about sixxs-aiccu except reading their homepage):

freezes and I need to login again
  • re-login via which interface? Which one gets disconnected (temporarily)?

I gues you already read http://www.freebsd.org/doc/de/books/handbook/network-ipv6.html
Does that help a little?
 
Read all

No, I checked all of the log files in /var/log and dmesg(1), nothing is logged,
I have not checked without sixxs-aiccu but the machine hangs also by creating any other interface, like tun0 for example, so I don't think sixxs is causing the problem, but I will try to remove the sixxs-aiccu port and try to create the tunnel manually.
And yes, of course I have read all of the ipv6 instructions and howto's and edited all the files to setup it properly, as I said it worked before, that's the strange thing.

The only thing I do regularly is keep the ports tree up to date with portsnap fetch update and manually issue a portmaster -a command.

The SSH connection is dropped when I try to ifconfig gif0 create but I can login again when making the connection again.

But when I'm at location the terminal (tty1) is locked also, I need to reboot to get the system to respond (by turning off and on the server). CTRL-ALT-F2 didn't work and CTRL-ALT-DEL or even press the POWER button once didn't do anything.
 
I don't know about you, but I had various issues with using SixXS, including a v6 tunnel which
worked and then stopped working without warning.

I eventually kicked them to the curb and went exclusively with Hurricane Electric
which was 100x easier.

http://www.tunnelbroker.net



Case in Point

Code:
ifconfig gif0 create
ifconfig gif0 tunnel [YOUR_v4_IPADDR] [HE_SERVER_v4_IPADDR]
ifconfig gif0 inet6 [YOUR_v6_IPADDR] [HE_SERVER_v6_IPADDR] prefixlen 128
route -n add -inet6 default [HE_SERVER_v6_IPADDR]
ifconfig gif0 up
 
Ipv6

I never had any issue with sixxs however I'll keep hurricane in mind...
I run another tunnel (with other ipv6 subnet) but same account through another server (ubuntu 11.04 server) which runs fine.

Even when I removed the sixxs-aiccu package freebsd freezes when issuing ifconfig gif0 create I can't find out why, yesterday I even recompiled the kernel, still freezes when running ifconfig gif0 create...

Any ideas how to troubleshoot?
 
That pretty much rules out a problem with net/sixxs-aiccu. I also have had zero issues with my SixXS tunnel, it just works 24/7.

Can you post the relevant parts of /etc/rc.conf. Also if you have made any customizations to kernel config post them as well.

It's probably not the cause of the problem but why do you have netmask 0xffffffe0 on re1? It's more common to use the full 8 bits for the host part with netmask 0xffffff00.
 
It's not specificly due to sixxs, even when I remove the sixxs package the process ifconfig gif0 create (or any other tunnel, gre0 or tun0) still hangs.
I have tried it without all the options set in sysctl.conf and loader.conf it doesn't matter.
I have recompiled the kernel because I want to use pf instead of ipf and want ipsec support to build a tunnel to another server with raccoon.

I use the netmask 255.255.255.224 on re1 because I have different subnets on multiple locations and they are all in the 192.168.0.* range, to avoid a lot of configuration work I used different little subnets inside the 192.168.0.* range.

Okay more rules to come, here we go...
Code:
[root@server /etc]# cat rc.conf
hostname="server.f????????r.com"
keymap="us.iso.kbd"
network_interfaces="re0 re1"
gateway_enable="YES"
ipv6_gateway_enable="YES"
ifconfig_re0="inet 213.126.??.114 netmask 255.255.255.248 broadcast 213.126.??.119 mediaopt flowcontrol"
ifconfig_re0_alias0="inet 213.126.??.115 netmask 255.255.255.255 broadcast 213.126.??.119"
ifconfig_re0_alias1="inet 213.126.??.116 netmask 255.255.255.255 broadcast 213.126.??.119"
ifconfig_re0_alias2="inet 213.126.??.117 netmask 255.255.255.255 broadcast 213.126.??.119"
ifconfig_re0_alias3="inet 213.126.??.118 netmask 255.255.255.255 broadcast 213.126.??.119"
ifconfig_re1="inet 192.168.0.1 netmask 255.255.255.224 mediaopt flowcontrol"
defaultrouter="213.126.??.113"
#gif_interfaces="gif0"
ipv6_activate_all_interfaces="YES"
#ifconfig_re0_ipv6="inet6 2001:838:34c::2 prefixlen 64"
ifconfig_re1_ipv6="inet6 2001:838:34c::1 prefixlen 64"
#ipv6_default_router="2001:838:300:2fc::1"
#ip6addrctl_enable="YES"
ip6addrctl_verbose="YES"
#ip6addrctl_policy="ipv6_prefer"
sshd_enable="YES"
ntpdate_enable="YES"
ntpdate_flags="-b ntp.xs4all.nl"
ntpd_enable="YES"
dumpdev="NO"                    # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
rc_info="YES"                   # Enables display of informational messages at boot.
rcshutdown_timeout="10" # Seconds to wait before terminating rc.shutdown
ipfilter_enable="YES"           # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf"    # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
ipfilter_flags=""               # additional flags for ipfilter
ipnat_enable="YES"              # Set to YES to enable ipnat functionality
ipnat_program="/sbin/ipnat"     # where the ipnat program lives
ipnat_rules="/etc/ipnat.rules"  # rules definition file for ipnat
ipnat_flags=""                  # additional flags for ipnat
ipmon_enable="YES"              # Set to YES for ipmon; needs ipfilter or ipnat
ipmon_program="/sbin/ipmon"     # where the ipfilter monitor program lives
ipmon_flags="-Ds"               # typically "-Ds" or "-D /var/log/ipflog"
tcp_drop_synfin="YES"           # Set to YES to drop TCP packets with SYN+FIN
icmp_drop_redirect="YES"        # Set to YES to ignore ICMP REDIRECT packets
icmp_log_redirect="YES"         # Set to YES to log ICMP REDIRECT packets
#pf_enable="NO"                  # Set to YES to enable packet filter (pf)
#pf_rules="/etc/pf.conf"         # rules definition file for pf
#pf_program="/sbin/pfctl"        # where the pfctl program lives
#pf_flags=""                     # additional flags for pfctl
#pflog_enable="NO"               # Set to YES to enable packet filter logging
#pflog_logfile="/var/log/firewall.log"  # where pflogd should store the logfile
#pflog_program="/sbin/pflogd"    # where the pflogd program lives
#pflog_flags=""                  #
named_enable="YES"              # Run named, the DNS server (or NO).
named_program="/usr/sbin/named" # Path to named, if you want a different one.
named_conf="/etc/namedb/named.conf"     # Path to the configuration file
named_uid="bind"                # User to run named as
named_chrootdir="/var/named"
named_chroot_autoupdate="YES"
named_symlink_enable="YES"
mysql_enable="YES"
mysql_args="--bind-address=127.0.0.1"
amavisd_enable="YES"
milterdk_enable="YES"
milterdk_uid="postfix"
milterdk_socket="unix:/var/run/milterdk/filter"
milterdk_domain="*redacted*"
milterdk_key="/var/db/domainkeys/keys/f????????r.com/dk.private"
milterdk_selector="dk"
milteropendkim_enable="YES"
milteropendkim_uid="postfix"
milteropendkim_cfgfile="/usr/local/etc/mail/opendkim.conf"
postfix_enable="YES"
dovecot_enable="YES"
dhcpd_enable="YES"                          # dhcpd enabled?
dhcpd_flags="-q"                            # command option(s)
dhcpd_conf="/usr/local/etc/dhcpd.conf"      # configuration file
dhcpd_ifaces="re1"                          # ethernet interface(s)
dhcpd_withumask="022"                       # file creation mask
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
smartd_enable="YES"
squid_enable="YES"
apache22_enable="YES"
webmin_enable="YES"
#pureftpd_enable="YES"
samba_enable="YES"
samba_config="/usr/local/etc/smb.conf"
smbd_enable="YES"
nmbd_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
clamav_freshclam_enable="YES"
clamav_clamd_enable="YES"
dbus_enable="YES"
avahi_daemon_enable="YES"
netatalk_enable="YES"
afpd_enable="YES"
apcupsd_enable="YES"
sixxs_aiccu_enable="YES"
radvd_enable="YES"
radvd_interfaces="re1"
[root@server /etc]#
Code:
[root@server /etc]# cat sysctl.conf
# $FreeBSD: release/9.0.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_proc_debug=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.hardlink_check_uid=1
security.bsd.hardlink_check_gid=1
vfs.usermount=0
net.inet.udp.blackhole=1
net.inet.tcp.blackhole=2
net.inet.tcp.icmp_may_rst=0
net.inet.tcp.drop_synfin=1
net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1
net.inet.tcp.msl=7500
net.inet.icmp.icmplim=50
net.inet.icmp.maskrepl=0
net.inet.icmp.drop_redirect=1
net.inet.icmp.bmcastecho=0
kern.ipc.somaxconn=32768
kern.ipc.nmbclusters=65536
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=256
net.inet.ip.accept_sourceroute=0
net.inet.ip.sourceroute=0
net.inet.tcp.rfc1323=0
kern.polling.enable=1
[root@server /etc]#
Code:
[root@server /boot]# cat loader.conf
verbose_loading="YES"           # Set to YES for verbose loader output
autoboot_delay="-1"             # Delay in seconds before autobooting, set to -1 to disable
if_gif_load="YES"               # generic tunnel interface
if_tun_load="YES"               # Tunnel driver (user process ppp)
if_re_load="YES"                # RealTek 8139C+/8169/8169S/8110S
beastie_disable="YES"
init_shell="/usr/local/bin/bash"
uhid_load="YES"
accf_data_load="YES"
accf_http_load="YES"
accf_dns_load="YES"
aio_load="YES"
net.inet.tcp.syncache.hashsize=32768
net.inet.tcp.syncache.bucketlimit=32
net.inet.tcp.syncache.cachelimit=1048576
net.inet.tcp.hostcache.hashsize=65536
net.inet.tcp.hostcache.cachelimit=1966080
net.inet.tcp.tcbhashsize=524288
net.isr.maxthreads=4
net.isr.defaultqlimit=10240
net.isr.maxqlimit=10240
net.isr.bindthreads=1
net.link.ifqmaxlen=1024
[root@server /boot]#
 
Last edited:
Code:
[root@server ~/kernels]# cat SERVER
#
# GENERIC -- Generic kernel configuration file for FreeBSD/amd64
#
# For more information on this file, please read the config(5) manual page,
# and/or the handbook section on Kernel Configuration Files:
#
#    http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: src/sys/amd64/conf/GENERIC,v 1.568.2.7.2.1 2011/11/11 04:20:22 kensmith Exp $

cpu             HAMMER
ident           SERVER

makeoptions     DEBUG=-g                # Build kernel with gdb(1) debug symbols

options         SCHED_ULE               # ULE scheduler
options         PREEMPTION              # Enable kernel thread preemption
options         INET                    # InterNETworking
options         INET6                   # IPv6 communications protocols
options         SCTP                    # Stream Control Transmission Protocol
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_ACL                 # Support for access control lists
options         UFS_DIRHASH             # Improve performance on big directories
options         UFS_GJOURNAL            # Enable gjournal-based UFS journaling
options         MD_ROOT                 # MD is a potential root device
options         NFSCL                   # New Network Filesystem Client
options         NFSD                    # New Network Filesystem Server
options         NFSLOCKD                # Network Lock Manager
options         NFS_ROOT                # NFS usable as /, requires NFSCL
options         MSDOSFS                 # MSDOS Filesystem
options         CD9660                  # ISO 9660 Filesystem
options         PROCFS                  # Process filesystem (requires PSEUDOFS)
options         PSEUDOFS                # Pseudo-filesystem framework
options         GEOM_PART_GPT           # GUID Partition Tables.
options         GEOM_LABEL              # Provides labelization
options         COMPAT_FREEBSD32        # Compatible with i386 binaries
options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
options         COMPAT_FREEBSD5         # Compatible with FreeBSD5
options         COMPAT_FREEBSD6         # Compatible with FreeBSD6
options         COMPAT_FREEBSD7         # Compatible with FreeBSD7
options         SCSI_DELAY=5000         # Delay (in ms) before probing SCSI
options         KTRACE                  # ktrace(1) support
options         STACK                   # stack(9) support
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options         PRINTF_BUFR_SIZE=128    # Prevent printf output being interspersed.
options         KBD_INSTALL_CDEV        # install a CDEV entry in /dev
options         HWPMC_HOOKS             # Necessary kernel hooks for hwpmc(4)
options         AUDIT                   # Security event auditing
options         MAC                     # TrustedBSD MAC Framework
#options        KDTRACE_FRAME           # Ensure frames are compiled in
#options        KDTRACE_HOOKS           # Kernel DTrace hooks
options         INCLUDE_CONFIG_FILE     # Include this file in kernel
options         KDB                     # Kernel debugger related code
options         KDB_TRACE               # Print a stack trace for a panic

# Make an SMP-capable kernel by default
options         SMP                     # Symmetric MultiProcessor Kernel

# CPU frequency control
device          cpufreq

# Bus support.
device          acpi
device          pci

# ATA controllers
device          ahci            # AHCI-compatible SATA controllers
device          ata             # Legacy ATA/SATA controllers
options         ATA_CAM         # Handle legacy controllers with CAM
options         ATA_STATIC_ID   # Static device numbering

# ATA/SCSI peripherals
device          scbus           # SCSI bus (required for ATA/SCSI)
device          da              # Direct Access (disks)
device          cd              # CD
device          pass            # Passthrough device (direct ATA/SCSI access)
device          ses             # SCSI Environmental Services (and SAF-TE)

# atkbdc0 controls both the keyboard and the PS/2 mouse
device          atkbdc          # AT keyboard controller
device          atkbd           # AT keyboard
device          psm             # PS/2 mouse

device          kbdmux          # keyboard multiplexer

device          vga             # VGA video card driver

# syscons is the default console driver, resembling an SCO console
device          sc
options         SC_PIXEL_MODE   # add support for the raster text mode

device          agp             # support several AGP chipsets

# Serial (COM) ports
device          uart            # Generic UART driver

# Parallel port
#device         lpt             # Printer

device          puc             # Multi I/O cards and multi-channel UARTs

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device          miibus          # MII bus support
device          re              # RealTek 8139C+/8169/8169S/8110S

# Pseudo devices.
device          loop            # Network loopback
device          random          # Entropy device
device          ether           # Ethernet support
device          vlan            # 802.1Q VLAN support
device          tun             # Packet tunnel.
device          pty             # BSD-style compatibility pseudo ttys
device          md              # Memory "disks"
device          gif             # IPv6 and IPv4 tunneling
device          faith           # IPv6-to-IPv4 relaying (translation)
device          firmware        # firmware assist module

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device          bpf             # Berkeley packet filter

# USB support
options         USB_DEBUG       # enable debug msgs
device          uhci            # UHCI PCI->USB interface
device          ohci            # OHCI PCI->USB interface
device          ehci            # EHCI PCI->USB interface (USB 2.0)
device          xhci            # XHCI PCI->USB interface (USB 3.0)
device          usb             # USB Bus (required)
#device         udbp            # USB Double Bulk Pipe devices (needs netgraph)
device          uhid            # "Human Interface Devices"
device          ukbd            # Keyboard
#device         ulpt            # Printer
device          umass           # Disks/Mass storage - Requires scbus and da
device          ums             # Mouse
#device         urio            # Diamond Rio 500 MP3 player

# This is for OpenBSD's pf firewall
device          pf
device          pflog

# pf's QoS - ALTQ
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

options         DEVICE_POLLING  # Significantly reduces the load on the system during DDoS Attack

options         IPSEC           # IP security
device          crypto
device          enc
options         IPSEC_NAT_T
options         IPSEC_FILTERTUNNEL
options         TCP_SIGNATURE   # Include support for RFC 2385
[root@server ~/kernels]#
Code:
Regards,
Donald.
 
megapearl said:
Code:
ipfilter_enable="YES"           # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf"    # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
ipfilter_flags=""               # additional flags for ipfilter
ipnat_enable="YES"              # Set to YES to enable ipnat functionality
ipnat_program="/sbin/ipnat"     # where the ipnat program lives
ipnat_rules="/etc/ipnat.rules"  # rules definition file for ipnat
ipnat_flags=""                  # additional flags for ipnat
ipmon_enable="YES"              # Set to YES for ipmon; needs ipfilter or ipnat
ipmon_program="/sbin/ipmon"     # where the ipfilter monitor program lives
ipmon_flags="-Ds"               # typically "-Ds" or "-D /var/log/ipflog"
I thought you said you wanted to use PF?

Code:
[root@server /boot]# cat loader.conf
init_shell="/usr/local/bin/bash"
Bad, bad, bad idea. Remove it. Did I already mention this is a bad idea?

I would also suggest removing all the sysctls and other "tuning" parameters you set. At least until you get a stable working system.
 
One thing that I notice is that you're setting the broadcast addresses manually for the aliases, try leaving the broadcast part out of them and let the system calculate the broadcast addresses automatically from the addresses and netmasks. Your manually set broadcast addresses may be wrong and cause bogus entries in routing table.
 
Removed

Yes i just configured pf today, yesterday i only compiled it in the kernel.
But because i was not at location i did't set it active yet (to prevent locking out myself from remote)

As you suggest i removed the init_shell from loader.conf now.

All of the 'tuning' parameters where to deal with a DDoS attack at my dns server since 8 october, but it doesn't helped at all, all bandwidth was taken and my isp couldn't or didn't want to help, so they gave me a new subnet with new fixed ip addresses, so far no problems with DDoS... i hope it stays off now.
 
How can i further investigate at the gif0 create problem? why does it hang? can i debug it somewhere?
 
megapearl said:
Yes i just configured pf today, yesterday i only compiled it in the kernel.
But because i was not at location i did't set it active yet (to prevent locking out myself from remote)

As you suggest i removed the init_shell from loader.conf now.

All of the 'tuning' parameters where to deal with a DDoS attack at my dns server since 8 october, but it doesn't helped at all, all bandwidth was taken and my isp couldn't or didn't want to help, so they gave me a new subnet with new fixed ip addresses, so far no problems with DDoS... i hope it stays off now.



Tell your ISP they should put up an ACL filter at the gateway router you are connected too. Changing IP addresses doesn't last long if somebody is out to pound your server.
 
They did, in the juniper srx, which is managed by isp, but the ddos was too strong, but so far no ddos since new subnet.
Still having the hanging ifconfig gif0 create process...
 
megapearl said:
They did, in the juniper srx, which is managed by isp, but the ddos was too strong, but so far no ddos since new subnet.
Still having the hanging ifconfig gif0 create process...



If worst comes to worst and you've got money to spend, you could get active mitigation
from Prolexic -- http://www.prolexic.com

As for why gif0 keeps hanging, it could just boil down to gremlins. Maybe try creating gif1
and using gif1 to see if that changes anything.
 
It doesn't matter which ifconfig create process i start, gif0 gif1 tun0 tun1 every ifconfig create process hangs the session (ssh) or hangs tty1 at location.
The machine itself doesn't hang, when i use CTRL-ALT-F2 (tty2) i can log in. but tty1 hangs till i restart FreeBSD.
I can't kill the ifconfig create process either.
 
Finally found the problem!

Code:
if_gif_load="YES"              # generic tunnel interface
if_tun_load="YES"              # Tunnel driver (user process ppp)
if_re_load="YES"               # RealTek 8139C+/8169/8169S/8110S

Where in /boot/loader.conf
But also compiled into kernel config.

Dashed it out and voila! gif0 tunnel comes up now.
 
That's very odd, loading the same driver as module when it's already in the kernel should be a no-op (except for an error message). Can you repeat this? If you can file a PR.
 
I have filled in a Problem Report on how to reproduce, this topic can be closed now with status 'solved'
 
Back
Top