Re: network problems 7.0-p3: sendto: Operation not permitted

Let's see if I can figure out the multitude of things you've posted
about, since a bunch are unrelated and you appear to be flailing around
with your arms in the air. :-)

On Thu, Jul 24, 2008 at 01:59:23AM -0400, Robert Jameson wrote:
(12:46 AM):(root@cube)/$ ping google.com
PING google.com (72.14.207.99): 56 data bytes
ping: sendto: Operation not permitted

This usually indicates firewall rules on the local machine, although I
believe there are some other operations where EPERM can be returned.

This appears to be an issue with the network.

Can you provide uname -a output? There was a "cable modem compatibility
fix" applied to FreeBSD a while ago (a user informed me of such),
although I do not know if it applies to you, as I do not know the
original symptoms. I believe that fix was also just for TCP.

I have attached my rc.conf and sysctl.conf and pf.conf please let me know if
any other information is required.

Errors from /var/log/console.log:

Jul 18 21:10:02 cube kernel: Jul 18 21:10:02 cube named[908]: socket: too
many open file descriptors
Jul 19 00:30:13 cube kernel: Jul 19 00:30:13 cube named[9748]: socket: too
many open file descriptors
Jul 19 00:30:54 cube kernel: Jul 19 00:30:14 cube last message repeated 28
times

This indicates a completely different/unrelated problem.

Jul 20 22:15:39 cube kernel: Limiting open port RST response from 318 to 200
packets/sec

This indicates a high number of ICMP packets being received. Keep in
mind this can also be seen due to TCP connections which are being reset
and other such things -- ICMP is at a higher layer than TCP.

I don't think there's necessarily anything "wrong" with that number (you
show up to 740), but it would be worthwhile investigating what's
soliciting that amount of ICMP traffic. Are you seeing this 24x7x365?

/etc/sysctl.conf
net.inet.icmp.icmplim=2000

I know it seems abit high, but i kept adjusting until the error went away.
(not really fixing the problem?)

It's not a big high; FreeBSD's 200 default is too low for any production
server, if you ask me. Setting it to 2000 is probably fine.

If your mail client or the mailing list prevents you from seeing the
attached
You can view them here:
http://rj.dawnshosting.com/fbsd_ml/

You should discuss your firewalling rules on freebsd-pf, and not here.
I believe you may have some mistakes which are inducing said problem.

PS: While running tcpdump I see this

tcpdump -i fxp0

Neither one of these ip's exist on my system is my cable company doing
something wrong?


01:47:12.135929 arp who-has 64.253.3.161.dyn-cm-pool73.pool.hargray.net tell
64.253.3.1.dyn-cm-pool73.pool.hargray.net
01:47:12.155931 arp who-has 216.16.218.141.dyn-cm-pool46.pool.hargray.nettell
216.16.218.1.dyn-cm-pool46.pool.hargray.net
01:47:12.196000 arp who-has 181.131.216.67.181.static.hargray.net tell
1.131.216.67.1.static.hargray.net

Nope. This is normal behaviour for a cable modem network; they
constantly spam layer 2 ARP for *everyone* on the entire cable network
segment. Yes, you read that right.

Is this an attack?

01:55:41.231722 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP
echo request, id 22055, seq 37084, length 64
01:55:42.232794 IP cube.dawnshosting.com > purple.haze.bluntroll.in: ICMP
echo request, id 22055, seq 37085, length 64

At this rate (1 ICMP packet a second), absolutely not. You also don't
mention which FQDN/IP is yours; I assume "cube.dawnshosting.com", based
on your local hostname in the above. Your machine is sending out an
ICMP ping packet to purple.haze.bluntroll.in every 1 second. If you
don't know why, you need to investigate why.

--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |

_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: What can delay [comm send -async ...]?
    ... First, ping uses ICMP, which is very different from TCP. ... of ping are just an application-level timeout, since ICMP packets are ...
    (comp.lang.tcl)
  • Re: network problems 7.0-p3: sendto: Operation not permitted
    ... This usually indicates firewall rules on the local machine, ... This indicates a high number of ICMP packets being received. ... 1 into my cable modem and nother into a linksys 16port vpn router. ... 01:47:12.196000 arp who-has 181.131.216.67.181.static.hargray.net tell ...
    (freebsd-stable)
  • Re: ICMP flood - how to cure?
    ... > to the network it began to send out the ICMP packets again. ... Monitor [included with Windows] from Control Panel, ...
    (comp.security.firewalls)
  • Re: [Full-Disclosure] Transamericana.org
    ... icmp packets. ... > I've been doing some research on creating covert channels using icmp ... > packets and a bounce server and so far everything worked fine. ... > bounce server using icmp packets. ...
    (Full-Disclosure)
  • Re: DOS attacks
    ... >> There is also a method to prevent DoS attacks by limiting what port it ... you could use icmp limiting to limit icmp incoming and ... Your firewall then blocks all other ICMP packets outright for the next hour. ...
    (comp.os.linux.security)
Quantcast