[3883] in linux-net channel archive
Re: ipfwadm help
daemon@ATHENA.MIT.EDU (Jon Lewis)
Sun Jul 28 00:20:44 1996
Date: Sun, 28 Jul 1996 00:15:56 -0400 (EDT)
From: Jon Lewis <jlewis@inorganic5.fdt.net>
To: Jos Vos <jos@xos.nl>
cc: linux-net@vger.rutgers.edu
In-Reply-To: <199607261524.RAA24324@minnie.xos.nl>
On Fri, 26 Jul 1996, Jos Vos wrote:
> > 5010 4983K i/o icmp 13.229.51.128/25 anywhere any
> >
> > That line should have read (though it would have used names not numbers):
> > 5010 4983K i/o icmp 205.229.51.128/25 0.0.0.0/0 *
>
> This is an interesting one. You're missing the leftmost 2 bits here.
> Could you please mail me the output of the "ipfwadm -Alxen" command
> together with the output of "cat /proc/net/ip_acct"?
This is getting even weirder. Every night at midnight, all my boxes
email me their traffic stats, and clear the counters with:
#!/bin/bash
/usr/local/sbin/ipfwadm -A -lz |\
/bin/mail -s "`/bin/date +%D` traffic stats for `/bin/hostname`" \
fubar@fdt.net
Every night for the past 3 nights, endor has lost those 2 bits and
emailed me:
5010 4983K i/o icmp 13.229.51.128/25 anywhere any
instead of
0 0 i/o icmp ts-sn2-na.51.fdt.net/25 anywhere any
where 13.229.51.128/25 should have been 205.229.51.128/25.
I've run /usr/local/sbin/ipfwadm -A -lz several dozen times interactively
on endor, and haven't seen it mess up. Coincidentally, 3 nights ago was
when the accounting rules grew from 9 rules to 11 to help track some ping
attacks. Endor is due for a makeover...totally new box, only the
cyclades cards will be reused, so it will be interesting to see if the
problem goes away.
------------------------------------------------------------------
Jon Lewis | Mime attachments are OK
jlewis@inorganic5.fdt.net | But please ask before sending
http://inorganic5.fdt.net | unsolicited huge files.
________Finger jlewis@inorganic5.fdt.net for PGP public key_______
