[FUG-BR] Firewall Congelando
Rodolfo Zappa
rodolfo em archive.com.br
Segunda Agosto 14 20:39:46 BRT 2006
Amigos,
Tenho um firewall rodando freebsd 6.1 + pf, que funciona na boa. (há uns
6 meses).
Mas esta máquina sempre congela aleatoriamente. De uns tempos pra cá,
ela tem congelado com mais frequência aos domingos. Não vi nada de
anormal no log. (na verdade, não há registro de que alguma coisa
disparou o incidente, ela apenas congela.)
Além do Firewall, rodo também o OpenVPN, como server e o proxyftp,
conforme sugerido no manual do PF.
O máximo que consegui, foi desabilitar a ACPI e a máquina ficou sem
congelar por 52 dias, mas congelou depois deste tempo.
Já troquei o hardware todo (com exceção do HD) por hardware idêntico.
Inclusive o hardware trocado, hoje está num servidor de e-mail, também
freebsd 6.1, sem nunca congelar nenhuma vez. Até coloquei uma fonte mais
potente (600w), achando que uma estabilizada na energia podia segurar o
tranco. Mas que nada. E o servidor de e-mail que falei, está na mesma
régua elétrica, descartando a possibilidade de falha de energia (oscilações)
A temperatura do disco e da CPU também está estável (o ambiente é bem
refrigerado) com coolers de gabinete e cooler de cpu funcionando
perfeitamente. Na BIOS,a temperatura da CPU fica em torno dos 55 Graus
(idêntico ao outro servidor).
Em suma, não sei mais o que fazer. O hardware que estou usando, é um
Pentium 4 2.66 MHz, com placa mãe Intel Desktop Board D865GSA
(http://www.intel.com/products/motherboard/d865gsa/index.htm), 512 MB de
RAM e HD Serial ATA Samsung. Tenho 2 placas de rede 3COM e uma Placa
on-board Realtek 8139.
Já tentei também aumentar o número de nmbcluster
(kern.ipc.nmbclusters="32768"), mas sem resultados.
Antes de optar por troca de hardware não semelhante a este, gostaria da
opinião de vocês.
Seguem meu dmesg, ifconfig, vmstat -i, uname-a, loader.conf e pf.conf:
PS.: Desculpem-me a mensagem longa, mas acho que quanto mais informações
forem disponibilizadas, maior será a chance de alguém chegar a alguma
conclusão.
#--- DMESG---#
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 6.1-RELEASE-p2 #0: Thu Jun 22 13:16:22 BRT 2006
root em tie.dirija.com.br:/usr/obj/usr/src/sys/RODZAPPA
ACPI APIC Table: <ATi AWRDACPI>
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Pentium(R) 4 CPU 2.66GHz (2666.78-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0xf49 Stepping = 9
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,AC
PI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0x651d<SSE3,RSVD2,MON,DS_CPL,TM2,CNTX-ID,CX16,<b14>>
AMD Features=0x20100000<NX,LM>
AMD Features2=0x1<LAHF>
real memory = 502202368 (478 MB)
avail memory = 482050048 (459 MB)
ioapic0 <Version 2.1> irqs 0-23 on motherboard
acpi0: <ATi AWRDACPI> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-safe" frequency 3579545 Hz quality 1000
acpi_timer0: <32-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0
cpu0: <ACPI CPU> on acpi0
acpi_throttle0: <ACPI CPU Throttling> on cpu0
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib1: <ACPI PCI-PCI bridge> at device 1.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pci1: <display, VGA> at device 5.0 (no driver attached)
atapci0: <ATI IXP400 SATA150 controller> port
0xff00-0xff07,0xfe00-0xfe03,0xfd00-0xfd07,0xfc00-0xfc03,0xfb00
-0xfb0f mem 0xfe02f000-0xfe02f1ff irq 23 at device 17.0 on pci0
ata2: <ATA channel 0> on atapci0
ata3: <ATA channel 1> on atapci0
atapci1: <ATI IXP400 SATA150 controller> port
0xfa00-0xfa07,0xf900-0xf903,0xf800-0xf807,0xf700-0xf703,0xf600
-0xf60f mem 0xfe02e000-0xfe02e1ff irq 22 at device 18.0 on pci0
ata4: <ATA channel 0> on atapci1
ata5: <ATA channel 1> on atapci1
ohci0: <ATI SB400 USB Controller> mem 0xfe02d000-0xfe02dfff irq 19 at
device 19.0 on pci0
ohci0: [GIANT-LOCKED]
usb0: OHCI version 1.0, legacy support
usb0: SMM does not respond, resetting
usb0: <ATI SB400 USB Controller> on ohci0
usb0: USB revision 1.0
uhub0: ATI OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 4 ports with 4 removable, self powered
ohci1: <ATI SB400 USB Controller> mem 0xfe02c000-0xfe02cfff irq 19 at
device 19.1 on pci0
ohci1: [GIANT-LOCKED]
usb1: OHCI version 1.0, legacy support
usb1: SMM does not respond, resetting
usb1: <ATI SB400 USB Controller> on ohci1
usb1: USB revision 1.0
uhub1: ATI OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 4 ports with 4 removable, self powered
ehci0: <ATI SB400 USB 2.0 controller> mem 0xfe02b000-0xfe02bfff irq 19
at device 19.2 on pci0
ehci0: [GIANT-LOCKED]
usb2: EHCI version 1.0
usb2: companion controllers, 4 ports each: usb0 usb1
usb2: <ATI SB400 USB 2.0 controller> on ehci0
usb2: USB revision 2.0
uhub2: ATI EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub2: 8 ports with 8 removable, self powered
pci0: <serial bus, SMBus> at device 20.0 (no driver attached)
atapci2: <ATI IXP400 UDMA133 controller> port
0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xf400-0xf40f at device 20
.1 on pci0
ata0: <ATA channel 0> on atapci2
ata1: <ATA channel 1> on atapci2
isab0: <PCI-ISA bridge> at device 20.3 on pci0
isa0: <ISA bus> on isab0
pcib2: <ACPI PCI-PCI bridge> at device 20.4 on pci0
pci2: <ACPI PCI bus> on pcib2
rl0: <RealTek 8139 10/100BaseTX> port 0xdc00-0xdcff mem
0xfddff000-0xfddff0ff irq 21 at device 2.0 on pci2
miibus0: <MII bus> on rl0
rlphy0: <RealTek internal media interface> on miibus0
rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
rl0: Ethernet address: 00:16:76:1e:44:c0
xl0: <3Com 3c905B-TX Fast Etherlink XL> port 0xdf00-0xdf7f mem
0xfddfe000-0xfddfe07f irq 16 at device 3.0 on
pci2
miibus1: <MII bus> on xl0
xlphy0: <3Com internal media interface> on miibus1
xlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
xl0: Ethernet address: 00:01:02:87:fe:a2
xl1: <3Com 3c905C-TX Fast Etherlink XL> port 0xde00-0xde7f mem
0xfddfd000-0xfddfd07f irq 17 at device 4.0 on
pci2
miibus2: <MII bus> on xl1
xlphy1: <3c905C 10/100 internal PHY> on miibus2
xlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
xl1: Ethernet address: 00:01:01:c7:3c:9f
acpi_tz0: <Thermal Zone> on acpi0
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on
acpi0
sio0: type 16550A
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
pmtimer0 on isa0
orm0: <ISA Option ROMs> at iomem 0xc0000-0xcbfff,0xd4000-0xd47ff on isa0
ppc0: parallel port not found.
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounter "TSC" frequency 2666777530 Hz quality 800
Timecounters tick every 1.000 msec
acd0: CDROM <GCR-8525B/1.02> at ata0-slave PIO4
ad8: 76351MB <SAMSUNG SP0812C SU100-34> at ata4-master SATA150
#--- ifconfig ---#
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::216:76ff:fe1e:44c0%rl0 prefixlen 64 scopeid 0x1
inet 200.x.x.x netmask 0xfffffff8 broadcast 200.x.x.x
inet 200.x.x.x netmask 0xfffffff8 broadcast 200.x.x.x
inet 200.x.x.x netmask 0xfffffff8 broadcast 200.x.x.x
inet 200.x.x.x netmask 0xfffffff8 broadcast 200.x.x.x
inet 200.x.x.x netmask 0xfffffff8 broadcast 200.x.x.x
ether 00:16:76:1e:44:c0
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9<RXCSUM,VLAN_MTU>
inet6 fe80::201:2ff:fe87:fea2%xl0 prefixlen 64 scopeid 0x2
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:01:02:87:fe:a2
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9<RXCSUM,VLAN_MTU>
inet6 fe80::201:1ff:fec7:3c9f%xl1 prefixlen 64 scopeid 0x3
inet 172.17.0.254 netmask 0xffffff00 broadcast 172.17.0.255
ether 00:01:01:c7:3c:9f
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
pfsync0: flags=0<> mtu 2020
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet 127.0.0.1 netmask 0xff000000
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet6 fe80::216:76ff:fe1e:44c0%tun0 prefixlen 64 scopeid 0x7
inet 10.255.255.1 --> 10.255.255.2 netmask 0xffffffff
Opened by PID 487
#--- vmstat -i ---#
interrupt total rate
irq1: atkbd0 4 0
irq14: ata0 46 0
irq16: xl0 2893966 29
irq17: xl1 19210589 196
irq19: ohci0 ohci+ 2 0
irq21: rl0 18836707 192
irq22: atapci1 106091 1
cpu0: timer 195957235 2000
Total 237004640 2418
#---uname -a ---#
FreeBSD tie.xx.com.br 6.1-RELEASE-p2 FreeBSD 6.1-RELEASE-p2 #0: Thu Jun
22 13:16:22 BRT 2006
root em tie.xx.com.br:/usr/obj/usr/src/sys/RODZAPPA i386
#--- /boot/loader.conf ---#
kern.ipc.nmbclusters="32768"
#---pf.conf ---#
if_ext = "rl0"
if_dmz = "xl0"
if_lan = "xl1"
if_vpn = "tun0"
ext_ip = "200.x.x.x"
icmp_types = "echoreq"
rfc1918 = "{ 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 }"
lan_net = "172.17.0.0/24"
dmz_net = "192.168.0.0/24"
ext_net = "200.x.x.x/29"
lojas_net = "172.16.0.0/16"
proxies_net = "192.168.255.0/24"
vpn_net = "10.255.255.255/24"
nat_ip_lan = "200.x.x.x"
nat_ip_proxies = "200.x.x.x"
nat_ip_lojas = "200.x.x.x"
tcp_in_fw = "{ 3003 2004 }"
udp_in_fw = "{ 1194 }"
tcp_fwd_lan = "{ 20 21 22 53 80 443 2004 2011 3003 8500 }"
udp_fwd_lan = "{ 53 123 }"
tcp_fwd_lojas = "{ 20 21 22 25 80 81:83 110 123 143 220 443 465 554 992
993 995 1025 1707 1755 1863 2002 200
4 2010 2011 2525 2631 3003 3004 3310 3389 3456 4017 5017 5080 5169 5297
6000 6891:6901 8017 8080 8087 8180 8
443 8500 31125 }"
udp_fwd_lojas = "{ 53 123 220 554 1755 1863 5005 6000 6901 8180 }"
ext_ip_naboo1 = "200.x.x.x"
dmz_ip_naboo1 = "192.168.0.11"
tcp_fwd_naboo1 = "{ 25 2525 110 143 993 995 80 443 }"
udp_fwd_naboo1 = "{ 53 }"
ext_ip_naboo2 = "200.x.x.x"
dmz_ip_naboo2 = "192.168.0.12"
udp_fwd_naboo2 = "{ 53 }"
tcp_fwd_naboo2 = "{ 25 }"
table <privadas> { $lan_net $proxies_net $lojas_net }
set block-policy return
set loginterface $if_ext
#---- libera lo0 ----#
set skip on lo0
#---- Normaliza os pacotes entrantes -----#
scrub in all
#-------------- NAT para a Lan e para as Lojas ------------------#
nat on $if_ext from $lan_net to any -> $nat_ip_lan
nat on $if_ext from $lojas_net to any -> $nat_ip_lojas
nat on $if_ext from $proxies_net to any -> $nat_ip_proxies
#-------------- NAT OpenVpn ------------------#
nat on $if_lan from $vpn_net to any -> $if_lan
#--------------- NAT para mail server (ip1) ----------------#
nat on $if_ext from $dmz_ip_naboo1 to any -> $ext_ip_naboo1
rdr on $if_ext proto tcp from any to $ext_ip_naboo1 port $tcp_fwd_naboo1
-> $dmz_ip_naboo1
rdr on $if_ext proto udp from any to $ext_ip_naboo1 port $udp_fwd_naboo1
-> $dmz_ip_naboo1
rdr on $if_lan proto tcp from <privadas> to $ext_ip_naboo1 port
$tcp_fwd_naboo1 -> $dmz_ip_naboo1
rdr on $if_lan proto udp from <privadas> to $ext_ip_naboo1 port
$udp_fwd_naboo1 -> $dmz_ip_naboo1
#--------------- NAT para mail server (ip2) ----------------#
nat on $if_ext from $dmz_ip_naboo2 to any -> $ext_ip_naboo2
rdr on $if_ext proto tcp from any to $ext_ip_naboo2 port $tcp_fwd_naboo2
-> $dmz_ip_naboo2
rdr on $if_ext proto udp from any to $ext_ip_naboo2 port $udp_fwd_naboo2
-> $dmz_ip_naboo2
rdr on $if_lan proto tcp from <privadas> to $ext_ip_naboo2 port
$tcp_fwd_naboo2 -> $dmz_ip_naboo2
rdr on $if_lan proto udp from <privadas> to $ext_ip_naboo2 port
$udp_fwd_naboo2 -> $dmz_ip_naboo2
#---- RDR FTP Proxy ----#
rdr on $if_lan proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $if_dmz proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#----- Bloqueia entrada por default ---------#
block in all
pass out proto tcp all modulate state
pass out proto { udp, icmp } all keep state
#----- Bloqueia redes reservadas vindas pela interface externa --------#
block drop in quick on $if_ext from $rfc1918 to any
block drop out quick on $if_ext from any to $rfc1918
#---- FTP Proxy ----#
pass in on $if_lan from { $lan_net $proxies_net $lojas_net } to lo0 keep
state
pass in on $if_dmz from $dmz_net to lo0 keep state
pass in on $if_ext inet proto tcp from any to $if_ext \
user proxy keep state
#----- Permite conexoes no firewall pela internet --------#
pass in on $if_ext inet proto tcp from any to $ext_ip port $tcp_in_fw \
flags S/SA keep state
pass in on $if_ext inet proto udp from any to $ext_ip port $udp_in_fw \
keep state
#----- OpenVPN --------#
pass in on $if_vpn from $vpn_net to { $lan_net $lojas_net $proxies_net } \
keep state
pass in on $if_lan from { $lan_net $lojas_net $proxies_net } to $vpn_net \
keep state
#----- Libera portas de conexao para mail server (ip1 e ip2) --------#
pass in on $if_ext inet proto tcp from any to $dmz_ip_naboo1 port
$tcp_fwd_naboo1 \
flags S/SA synproxy state
pass in on $if_ext inet proto udp from any to $dmz_ip_naboo1 port
$udp_fwd_naboo1 \
synproxy state
pass in on $if_ext inet proto tcp from any to $dmz_ip_naboo2 port
$tcp_fwd_naboo2 \
flags S/SA synproxy state
pass in on $if_ext inet proto udp from any to $dmz_ip_naboo2 port
$udp_fwd_naboo2 \
synproxy state
#----- Permite aos servidores da Lan efetuarem conexoes na internet ------#
pass in on $if_lan inet proto tcp from $if_lan:network to any port
$tcp_fwd_lan \
keep state
pass in on $if_lan inet proto udp from $if_lan:network to any port
$udp_fwd_lan \
keep state
#- Permite aos computadores das lojas efetuarem conexoes na internet -#
pass in on $if_lan inet proto tcp from $lojas_net to any port
$tcp_fwd_lojas \
keep state
pass in on $if_lan inet proto udp from $lojas_net to any port
$udp_fwd_lojas \
keep state
#- Permite aos proxies lojas efetuarem conexoes na internet -#
pass in on $if_lan inet proto tcp from $proxies_net to any port
$tcp_fwd_lojas \
keep state
pass in on $if_lan inet proto udp from $proxies_net to any port
$udp_fwd_lojas \
keep state
#-- Permite aos computadores da dmz efetuarem conexoes na internet -----#
block in quick on $if_dmz from $if_dmz:network to <privadas>
pass in on $if_dmz from $if_dmz:network to any keep state
#----- Permite alguns tipos de ICMP -------------#
pass in inet proto icmp all icmp-type $icmp_types keep state
--
Cordialmente,
Rodolfo Zappa
"Linux é para pessoas que odeiam o Windows.
BSD é para pessoas que amam o UNIX!"
Mais detalhes sobre a lista de discussão freebsd