Re: network problems 7.0-p3: sendto: Operation not permitted

Still don't know whats going on, im currently sitting here with no firewall
between me and the internet (very nervous) seeing if it fixes the problems,
as of right this moment, still seeing permission denied errors.

I have fixed the 403 errors now.

http://rj.dawnshosting.com/fbsd_ml/ now contains sysctl.conf rc.conf pf.conf

On Thu, Jul 24, 2008 at 3:49 AM, Jeremy Chadwick <koitsu@xxxxxxxxxxx> wrote:

Let's see if I can figure out the multitude of things you've posted
about, since a bunch are unrelated and you appear to be flailing around
with your arms in the air. :-)


Sorry about that, bit of a information overload, i really am flailing my
arms around!



On Thu, Jul 24, 2008 at 01:59:23AM -0400, Robert Jameson wrote:
(12:46 AM):(root@cube)/$ ping google.com
PING google.com (72.14.207.99): 56 data bytes
ping: sendto: Operation not permitted

This usually indicates firewall rules on the local machine, although I
believe there are some other operations where EPERM can be returned.


Tried running with my firewall disabled/wide problem still occurs




This appears to be an issue with the network.

Can you provide uname -a output? There was a "cable modem compatibility
fix" applied to FreeBSD a while ago (a user informed me of such),
although I do not know if it applies to you, as I do not know the
original symptoms. I believe that fix was also just for TCP.


FreeBSD cube.dawnshosting.com 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #5: Wed
Jul 16 21:55:02 EDT 2008
root@xxxxxxxxxxxxxxxxxxxxx:/usr/obj/usr/src/sys/CUBE
i386

Was the patch applied upstream? if not and its not too much trouble can you
point me in the direction of it.




I have attached my rc.conf and sysctl.conf and pf.conf please let me know
if
any other information is required.

Errors from /var/log/console.log:

Jul 18 21:10:02 cube kernel: Jul 18 21:10:02 cube named[908]: socket: too
many open file descriptors
Jul 19 00:30:13 cube kernel: Jul 19 00:30:13 cube named[9748]: socket:
too
many open file descriptors
Jul 19 00:30:54 cube kernel: Jul 19 00:30:14 cube last message repeated
28
times

This indicates a completely different/unrelated problem.


Ah, thought they were related, what's causing this :)!



Jul 20 22:15:39 cube kernel: Limiting open port RST response from 318 to
200
packets/sec

This indicates a high number of ICMP packets being received. Keep in
mind this can also be seen due to TCP connections which are being reset
and other such things -- ICMP is at a higher layer than TCP.

I don't think there's necessarily anything "wrong" with that number (you
show up to 740), but it would be worthwhile investigating what's


soliciting that amount of ICMP traffic. Are you seeing this 24x7x365?


Yes its constant. let it me known i also have a 2 network cards in the
machne, 1 into my cable modem and nother into a linksys 16port vpn router.
the defaultrouter is set to a WAN IP (not 10.192.240.1), not that any of
that matters, i dont think?





/etc/sysctl.conf
net.inet.icmp.icmplim=2000

I know it seems abit high, but i kept adjusting until the error went
away.
(not really fixing the problem?)

It's not a big high; FreeBSD's 200 default is too low for any production
server, if you ask me. Setting it to 2000 is probably fine.


I read a bit about it from the handbook, i think it's a non issue.

Might be worth mentioning the only real service change to this machine was
an ircd daemon w/ about 500 users.



If your mail client or the mailing list prevents you from seeing the
attached
You can view them here:
http://rj.dawnshosting.com/fbsd_ml/

You should discuss your firewalling rules on freebsd-pf, and not here.
I believe you may have some mistakes which are inducing said problem.


I will send them an e-mail shortly, thanks.


PS: While running tcpdump I see this

tcpdump -i fxp0

Neither one of these ip's exist on my system is my cable company doing
something wrong?


01:47:12.135929 arp who-has 64.253.3.161.dyn-cm-pool73.pool.hargray.nettell
64.253.3.1.dyn-cm-pool73.pool.hargray.net
01:47:12.155931 arp who-has
216.16.218.141.dyn-cm-pool46.pool.hargray.nettell
216.16.218.1.dyn-cm-pool46.pool.hargray.net
01:47:12.196000 arp who-has 181.131.216.67.181.static.hargray.net tell
1.131.216.67.1.static.hargray.net

Nope. This is normal behaviour for a cable modem network; they
constantly spam layer 2 ARP for *everyone* on the entire cable network
segment. Yes, you read that right.


ah, ok, nothing to see here, keep moving.


Is this an attack?

01:55:41.231722 IP cube.dawnshosting.com > purple.haze.bluntroll.in:
ICMP
echo request, id 22055, seq 37084, length 64
01:55:42.232794 IP cube.dawnshosting.com > purple.haze.bluntroll.in:
ICMP
echo request, id 22055, seq 37085, length 64

At this rate (1 ICMP packet a second), absolutely not. You also don't
mention which FQDN/IP is yours; I assume "cube.dawnshosting.com", based
on your local hostname in the above. Your machine is sending out an
ICMP ping packet to purple.haze.bluntroll.in every 1 second. If you
don't know why, you need to investigate why.


Correct, cube.dawnshosting.com is the actual FreeBSD machinr.
sorry for the newbish question, off the top of your head how can i see
who/what is using this process?


--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |


_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Strange traffic ....
    ... When i booted my firewall today, (OpenBSD machine hooked up using an cable ... i saw strange traffic on my cable modem (blinking RD lights while i ... 11:20:54.626314 arp who-has 213.224.100.255 tell D5E06401.kabel.telenet.be ...
    (Incidents)
  • Re: Emails using Gateway IP in header instead of router IP number
    ... that shouldn't matter whether the cable modem is bridged or routed. ... Once the SMTP traffic leaves exchange, I could route it through a packet-inspecting firewall, a NAT device, another firewall, through a linux box, through a spam filter appliance, then through an untangle setup, untill it eventually reaches my network edge and onto Comcast's network. ... header sent from server is using the gateway IP number instead of my ... They should instruct or help Sam in setting up the cable modem in Bridge mode so all outbound traffic appears be coming from the internal router. ...
    (microsoft.public.windows.server.sbs)
  • Re: Strange PPPoe problem
    ... The new service uses PPPoe - not a problem, or so I thought - I ... have PPPoe on my firewall. ... And if I do PPPoe on the provided D-Link router, ... like icmp 3/4 packets are being dropped somewhere. ...
    (Debian-User)
  • Re: ICMP timestamp request is allowed from arbitrary hosts
    ... There is no registry entry that specifically blocks individual ICMP types on ... enable the Windows Firewall on the XP machines and configure the rules to do ... Point is Windows XP has the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Am I being hacked?
    ... > incoming TCP packets are 'Allowed' on those ports. ... The term "stealth" is misleading. ... The online services that claim to test your firewall can be misleading ... but block normal ICMP echo requests. ...
    (comp.security.firewalls)