Hi
I have the server running for a year. This just happened tonight:
- The server's networking is interrupted
- Log to see /var/log/messages, I got:
- I have set the /etc/sysctl.conf as below and restart the system:
- When I turn off the Nginx process, the /var/log/messages does not show any above messages. Turning on Nginx they appear again.
- When turn off Nginx, the system still report high usage. With top command:
- The system is:
I've been searching solution for hours without success. Please advise on solving this problem.
I have the server running for a year. This just happened tonight:
- The server's networking is interrupted
- Log to see /var/log/messages, I got:
Code:
Nov 19 00:54:00 m153 kernel: ipfw: add_dyn_rule: Cannot allocate rule
Nov 19 00:54:01 m153 kernel: Limiting open port RST response from 72183 to 200 packets/sec
Nov 19 00:54:01 m153 kernel: ipfw: add_dyn_rule: Cannot allocate rule
Nov 19 00:54:02 m153 kernel: Limiting open port RST response from 68956 to 200 packets/sec
Nov 19 00:54:02 m153 kernel: ipfw: add_dyn_rule: Cannot allocate rule
Nov 19 00:54:03 m153 kernel: Limiting open port RST response from 68586 to 200 packets/sec
Nov 19 00:54:03 m153 kernel: ipfw: add_dyn_rule: Cannot allocate rule
Nov 19 00:54:04 m153 kernel: Limiting open port RST response from 69121 to 200 packets/sec
Nov 19 00:54:04 m153 kernel: ipfw: add_dyn_rule: Cannot allocate rule
Nov 19 00:54:05 m153 kernel: Limiting open port RST response from 68789 to 200 packets/sec
Nov 19 00:54:05 m153 kernel: ipfw: add_dyn_rule: Cannot allocate rule
Nov 19 00:54:06 m153 kernel: Limiting open port RST response from 70029 to 200 packets/sec
Nov 19 00:54:06 m153 kernel: ipfw: add_dyn_rule: Cannot allocate rule
Nov 19 00:54:07 m153 kernel: Limiting open port RST response from 69507 to 200 packets/sec
Nov 19 00:54:07 m153 kernel: ipfw: add_dyn_rule: Cannot allocate rule
Nov 19 00:54:08 m153 kernel: Limiting open port RST response from 69730 to 200 packets/sec
Nov 19 00:54:08 m153 kernel: ipfw: add_dyn_rule: Cannot allocate rule
Nov 19 00:54:09 m153 kernel: Limiting open port RST response from 69542 to 200 packets/sec
Nov 19 00:54:09 m153 kernel: ipfw: add_dyn_rule: Cannot allocate rule
Nov 19 00:54:10 m153 kernel: Limiting open port RST response from 69227 to 200 packets/sec
Nov 19 00:54:10 m153 kernel: ipfw: add_dyn_rule: Cannot allocate rule
- I have set the /etc/sysctl.conf as below and restart the system:
Code:
# General Security and DoS mitigation.
net.inet.ip.check_interface=1 # verify packet arrives on correct interface (default 0)
net.inet.ip.portrange.randomized=1 # randomize outgoing upper ports (default 1)
net.inet.ip.process_options=0 # IP options in the incoming packets will be ignored (default 1)
net.inet.ip.random_id=1 # assign a random IP_ID to each packet leaving the system (default 0)
net.inet.ip.redirect=0 # do not send IP redirects (default 1)
net.inet.ip.accept_sourceroute=0 # drop source routed packets since they can not be trusted (default 0)
net.inet.ip.sourceroute=0 # if source routed packets are accepted the route data is ignored (default 0)
net.inet.icmp.bmcastecho=0 # do not respond to ICMP packets sent to IP broadcast addresses (default 0)
net.inet.icmp.maskfake=0 # do not fake reply to ICMP Address Mask Request packets (default 0)
net.inet.icmp.maskrepl=0 # replies are not sent for ICMP address mask requests (default 0)
net.inet.icmp.log_redirect=0 # do not log redirected ICMP packet attempts (default 0)
net.inet.icmp.drop_redirect=1 # no redirected ICMP packets (default 0)
net.inet.icmp.icmplim_output=1 # show "Limiting open port RST response" messages (default 1)
net.inet.tcp.always_keepalive=0 # tcp keep alive detection for dead peers, can be spoofed (default 1)
net.inet.tcp.drop_synfin=1 # SYN/FIN packets get dropped on initial connection (default 0)
#net.inet.tcp.fast_finwait2_recycle=1 # recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0)
net.inet.tcp.icmp_may_rst=0 # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
net.inet.tcp.msl=15000 # 15s maximum segment life waiting for an ACK in reply to a SYN-ACK or FIN-ACK (default 30000)
net.inet.tcp.path_mtu_discovery=0 # disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1)
net.inet.tcp.rfc3042=0 # disable limited transmit mechanism which can slow burst transmissions (default 1)
net.inet.tcp.sack.enable=1 # TCP Selective Acknowledgments are needed for high throughput (default 1)
net.inet.udp.blackhole=1 # drop udp packets destined for closed sockets (default 0)
net.inet.tcp.blackhole=2 # drop tcp packets destined for closed ports (default 0)
- When I turn off the Nginx process, the /var/log/messages does not show any above messages. Turning on Nginx they appear again.
- When turn off Nginx, the system still report high usage. With top command:
Code:
last pid: 1979; load averages: 1.18, 1.17, 1.01 up 0+00:37:55 01:13:28
30 processes: 1 running, 29 sleeping
CPU: 0.0% user, 0.0% nice, 8.3% system, 0.0% interrupt, 91.6% idle
Mem: 532M Active, 4852M Inact, 1030M Wired, 824M Buf, 1498M Free
Swap: 15G Total, 15G Free
- The system is:
Code:
#uname -a
FreeBSD m153.admansend.com 10.3-RELEASE-p11 FreeBSD 10.3-RELEASE-p11 #0: Mon Oct 24 18:49:24 UTC 2016 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
I've been searching solution for hours without success. Please advise on solving this problem.