Hi all,
I'm using FreeBSD 10.1 and nginx to provide web services.
From yesterday afternoon, my website is down. And my server didn't response to ping request any more. At that time I checked the server, it seems all services are good, except I got endless alerts in /var/log/messages as below:
As soon as I disable IPFW, my website is back to normal. I tried to enable IPFW, and then my server went down again.
Below is my ipfw.conf, can anyone help? I was using these rules and IPFW for more than 5 years without any problem.
and
I'm using FreeBSD 10.1 and nginx to provide web services.
From yesterday afternoon, my website is down. And my server didn't response to ping request any more. At that time I checked the server, it seems all services are good, except I got endless alerts in /var/log/messages as below:
Code:
Apr 21 16:01:51 www kernel: ipfw: add_dyn_rule: Cannot allocate rule
Apr 21 16:01:51 www kernel: ipfw: ipfw_install_state: add parent failed
Apr 21 16:01:51 www last message repeated 285 times
Apr 21 16:01:54 www kernel: tate: add parent failed
Apr 21 16:01:54 www kernel: ipfw: ipfw_install_state: add parent failed
Apr 21 16:01:54 www last message repeated 594 times
Apr 21 16:01:54 www kernel: ipfw: add_dyn_rule: Cannot allocate rule
Apr 21 16:01:54 www kernel: ipfw: ipfw_install_state: add parent failed
As soon as I disable IPFW, my website is back to normal. I tried to enable IPFW, and then my server went down again.
Below is my ipfw.conf, can anyone help? I was using these rules and IPFW for more than 5 years without any problem.
Code:
IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 15 allow all from 127.0.0.1 to any
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
$IPF 41 deny all from 69.85.93.235 to any
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 100 allow tcp from any to any 21 in
$IPF 110 allow tcp from any to any 21 out
$IPF 120 allow tcp from any to any 25 in
$IPF 130 allow tcp from any to any 25 out
$IPF 140 allow udp from any to any 53 in
$IPF 150 allow tcp from any to any 53 in
$IPF 160 allow udp from any to any 53 out
$IPF 175 allow tcp from any to any 53 out
#$IPF 600 allow tcp from any to any 80 in
$IPF 600 allow tcp from any to me 80 in limit src-addr 100
$IPF 600 allow tcp from any to me 81 in
$IPF 610 allow tcp from any to any 81 out
$IPF 610 allow tcp from any to any 80 out
# deny and log everything
$IPF 1000 deny log all from any to any
and
Code:
# sysctl net.inet.ip.fw.dyn_max
net.inet.ip.fw.dyn_max: 65535