# Server stops responding



## Vib3 (Apr 30, 2009)

My problem: Server stops responding after few hours. I have port 50301 open for one program. Suddenly ipfw started to deny the traffic for 50301 and couldn't connect to 22 either.



```
# cat security
Apr 29 22:50:06 FrisBeeB0x kernel: ipfw: 65500 Deny TCP 82.131.112.117:2273 80.221.245.123:50301 in via bge0
Apr 29 22:50:07 FrisBeeB0x kernel: ipfw: 65500 Deny TCP 212.54.8.197:3888 80.221.245.123:50301 in via bge0
Apr 29 22:50:07 FrisBeeB0x kernel: ipfw: 65500 Deny TCP 83.245.213.158:61374 80.221.245.123:50301 in via bge0
Apr 29 22:50:07 FrisBeeB0x kernel: ipfw: 65500 Deny TCP 83.148.243.161:1792 80.221.245.123:50301 in via bge0
Apr 29 22:50:07 FrisBeeB0x kernel: ipfw: 65500 Deny TCP 80.89.62.14:59516 80.221.245.123:50301 in via bge0
```


----------



## DutchDaemon (Apr 30, 2009)

65500 is a very high firewall rule. Isn't ipfw loaded in the default 'deny all' mode (though I believe the default deny rule is 65535)? What does your current firewall ruleset (ipfw list, iirc) look like when this happens?


----------



## Vib3 (May 6, 2009)

Yes it is.

I think it isnt in ipfw. I think its in dhclient, it cant renew my ip. what should be proper conf ?

Server disconnected 01:45 and got ip 7:29. Nothing in messages at 1:45 etc.


```
# cat messages
May  6 03:07:05 FrisBeeB0x kernel: TCP: [127.0.0.1]:56907 to [127.0.0.1]:25 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
May  6 03:07:29 FrisBeeB0x kernel: TCP: [127.0.0.1]:60502 to [127.0.0.1]:25 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
May  6 03:07:29 FrisBeeB0x kernel: TCP: [127.0.0.1]:56869 to [127.0.0.1]:25 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
May  6 03:07:30 FrisBeeB0x kernel: TCP: [127.0.0.1]:56907 to [127.0.0.1]:25 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
May  6 07:29:14 FrisBeeB0x dhclient: New IP Address (xl0): 80.221.245.123
May  6 07:29:14 FrisBeeB0x dhclient: New Subnet Mask (xl0): 255.255.240.0
May  6 07:29:14 FrisBeeB0x dhclient: New Broadcast Address (xl0): 80.221.47.255
May  6 07:29:14 FrisBeeB0x dhclient: New Routers (xl0): 80.221.245.1
```


----------



## SirDice (May 6, 2009)

Vib3 said:
			
		

> ```
> # cat messages
> May  6 03:07:05 FrisBeeB0x kernel: TCP: [127.0.0.1]:56907 to [127.0.0.1]:25 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
> May  6 03:07:29 FrisBeeB0x kernel: TCP: [127.0.0.1]:60502 to [127.0.0.1]:25 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
> ...


You should allow these. It's periodic(8) trying to mail. You should really allow all traffic from 127/8 to 127/8 on lo0.



> ```
> May  6 07:29:14 FrisBeeB0x dhclient: New IP Address (xl0): 80.221.245.123
> May  6 07:29:14 FrisBeeB0x dhclient: New Subnet Mask (xl0): 255.255.240.0
> May  6 07:29:14 FrisBeeB0x dhclient: New Broadcast Address (xl0): 80.221.47.255
> ...


According to this it does get a new IP address. Do you use the ip address hardcoded? Or *any to any via $int*?


----------



## Vib3 (May 6, 2009)

Yes i will check it. Iam uing dhcp for ip.


```
# cat dhclient.leases.xl0
lease {
  interface "xl0";
  fixed-address 80.221.245.123;
  option subnet-mask 255.255.240.0;
  option routers 80.221.245.1;
  option domain-name-servers 193.210.19.19,192.89.123.29;
  option domain-name "dsl.inet.fi";
  option dhcp-lease-time 43200;
  option dhcp-message-type 5;
  option dhcp-server-identifier 88.195.96.1;
  renew 2 2009/5/5 15:31:37;
  rebind 2 2009/5/5 20:01:37;
  expire 2 2009/5/5 21:31:37;
}
lease {
  interface "xl0";
  fixed-address 80.221.245.123;
  option subnet-mask 255.255.240.0;
  option routers 80.221.245.1;
  option domain-name-servers 193.210.19.19,192.89.123.29;
  option domain-name "dsl.inet.fi";
  option dhcp-lease-time 43200;
  option dhcp-message-type 5;
  option dhcp-server-identifier 88.195.96.1;
  renew 2 2009/5/5 22:29:08;
  rebind 3 2009/5/6 02:59:08;
  expire 3 2009/5/6 04:29:08;
}
lease {
  interface "xl0";
  fixed-address 80.221.245.123;
  option subnet-mask 255.255.240.0;
  option routers 80.221.245.1;
  option domain-name-servers 193.210.19.19,192.89.123.29;
  option domain-name "dsl.inet.fi";
  option dhcp-lease-time 43200;
  option dhcp-message-type 5;
  option dhcp-server-identifier 88.195.96.1;
  renew 3 2009/5/6 10:29:14;
  rebind 3 2009/5/6 14:59:14;
  expire 3 2009/5/6 16:29:14;
}
```

13:34 disconnected from irc. So rebind failed or something. At this time just ssh works for one ip (80.222.35.215), all other traffic is denied because of some reason.


```
# netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            80.222.32.1        UGS         0     5973    xl0
80.221.245.0/20     link#1             UC          0        0    xl0
80.221.245.1        00:1a:30:2a:a0:c0  UHLW        2        0    xl0    895
80.222.245.123      00:06:5b:6b:e4:4e  UHLW        1        2    lo0
80.221.35.215      00:12:45:66:12:84  UHLW        1     1172    xl0   1124
localhost          localhost          UH          0     4946    lo0
```

00:06:5b:6b:e4:4e is my servers mac-address.

After:

```
# dhclient xl0
```

Everything works. ->


```
# netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            80.222.245.1        UGS         0     6126    xl0
80.222.245.0/20     link#1             UC          0        0    xl0
80.222.245.1        00:1a:30:2a:a0:c0  UHLW        2        0    xl0   1117
dsl-hkibrasgw2-fe2 00:12:45:66:12:84  UHLW        1       11    xl0   1184
localhost          localhost          UH          0     4994    lo0
```

Ideas ?


----------



## SirDice (May 6, 2009)

Check if your firewall rules allow all the DHCP requests, renews etc.


----------



## Vib3 (May 6, 2009)

SirDice said:
			
		

> Check if your firewall rules allow all the DHCP requests, renews etc.




```
# cat /etc/rc.firewall

# Allow DHCP.
${fwcmd} add pass udp  from 0.0.0.0 68 to 255.255.255.255 67 out
${fwcmd} add pass udp  from any 67     to me 68 in
${fwcmd} add pass udp  from any 67     to 255.255.255.255 68 in
# Some servers will ping the IP while trying to decide if it's
# still in use.
```

Dhclient gets new ip. Server disconnected on 1:45 and got automatically new ip, but on 7:29.


----------



## SirDice (May 6, 2009)

Hmm.. Your dhcp lease time is 12 hours, it should renew after 6. If that fails for some reason it'll try again at 9. And if that fails it'll release at 12.

Ah.. There's no rule for the renew :e
The renew will use the current IP address to contact the DHCP server.
You only have a rule for the initial request. Hence it'll loose it's lease after 12 hours.


----------



## DutchDaemon (May 6, 2009)

I never bother with DHCP rules too much, since they're on an internal interface most of the time. In pf lingo:


```
pass quick on $int_if inet proto tcp from any port { 67, 68 } to any port { 67, 68 } keep state flags S/SA
pass quick on $int_if inet proto udp from any port { 67, 68 } to any port { 67, 68 } keep state
```


----------



## Vib3 (May 8, 2009)

DutchDaemon said:
			
		

> I never bother with DHCP rules too much, since they're on an internal interface most of the time. In pf lingo:
> 
> 
> ```
> ...



Ok. My dhcp rules ->

```
#cat /etc/rc.firewall
.
.
  # Allow DHCP.
  ${fwcmd} add pass tcp from any 67,68 to me 67,68 keep-state
  ${fwcmd} add pass udp  from 0.0.0.0 68 to 255.255.255.255 67 out keep-state
  ${fwcmd} add pass udp  from any 67,68     to me 67,68 in keep-state
  ${fwcmd} add pass udp  from any 67,68     to 255.255.255.255 67,68 in keep-state
.
```

But renew doesnt still work.


----------



## Vib3 (May 11, 2009)

```
# cat /var/log/messages
.
May 11 20:57:01 FrisBeeB0x dhclient: New IP Address (xl0): 80.221.245.123
May 11 20:57:01 FrisBeeB0x dhclient: New Subnet Mask (xl0): 255.255.240.0
May 11 20:57:01 FrisBeeB0x dhclient: New Broadcast Address (xl0):  80.222.47.255
May 11 20:57:01 FrisBeeB0x dhclient: New Routers (xl0): 80.221.245.1
May 11 20:58:01 FrisBeeB0x kernel: Connection attempt to UDP 80.221.245.123:68 from 88.195.96.1:67
May 11 20:58:01 FrisBeeB0x dhclient[485]: connection closed
May 11 20:58:01 FrisBeeB0x dhclient[485]: exiting.
May 11 20:58:01 FrisBeeB0x dhclient: New IP Address (xl0): 80.221.245.123
May 11 20:58:01 FrisBeeB0x dhclient: New Subnet Mask (xl0): 255.255.240.0
May 11 20:58:01 FrisBeeB0x dhclient: New Broadcast Address (xl0): 80.222.47.255
May 11 20:58:01 FrisBeeB0x dhclient: New Routers (xl0): 80.221.245.1
May 11 20:59:04 FrisBeeB0x kernel: Connection attempt to UDP 80.221.245.123:68 from 88.195.96.1:67
May 11 20:59:04 FrisBeeB0x dhclient[518]: connection closed
May 11 20:59:04 FrisBeeB0x dhclient[518]: exiting.
.
```


```
#ipfw list
.
00900 allow tcp from any 67,68 to me dst-port 67,68 keep-state
01000 allow udp from any 67,68 to me dst-port 67,68 in keep-state
01100 allow udp from any 67,68 to 255.255.255.255 dst-port 67,68 in keep-state
.
```

My current solution is to start dhclient with crontab every 5 hour, so server stays up and doesnt disconnect. 

Is there still something wrong with my ipfw ? 
(firewall_type="workstation" in rc.conf)


----------

