Firewalls: bastion netwk memory growth

Firewalls
(March 1996)

Indexed By Thread: [Previous] [Next]

Subject:	bastion netwk memory growth
From:	comrade <comrade @ c2 . org>
Date:	Mon, 11 Mar 1996 15:35:29 -0800 (PST)
To:	firewalls @ greatcircle . com

Help.

I'm running a mostly fwtk dual-homed firewall (with a CERN http caching
proxy) on a BSDI 1.1 system.  (I'm posting this to firewalls instead of
fwtk-users because I don't know whether it's related to fwtk, CERN, or
BSDI, and lots of people are using all or some of these components in a
large number of firewalls.)

The bastion host runs unattended for weeks or months, but over time
the amount of network memory being used as reported by "netstat -m"
grows until I feel I need to reboot.  The resources used vary with
usage but also tend upward over time in a cumulative fashion.

See http://www.c2.org/~comrade/netmem/ for graphs over the last 40 days.


Does anyone have any experience with this?  Is it due to some bug in
BSDI 1.1?  I know BSDI is up to 2.1 or 2.2 or better, but I'm adhering
to the "if it ain't broke, don't fix it" philosophy, and I don't know
if that's what's broke here (though I might upgrade for other reasons,
anyway.)


Note that I started plotting "Connections waiting on LAST_ACK" after
about the first week.  This is because I noticed a whole lot of entries
like this when I do a "netstat -tn" (network #s changed)::

Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp        0   2734  172.16.64.153.80      172.16.234.116.1408    LAST_ACK
                                   ^
                                   |
                      CERN proxy --+

The number of these entries tends to grow.  Looking at the other data,
it's not obvious that it correlates directly with the growth of network
memory usage.  Please correct me if you know otherwise.  It is related
to another problem, though.

I noticed from sniffing on the DMZ that the firewall is sending out
ACK packets for the 172.16.234.116 to the internet router on the DMZ,
not to the internal router used to get to that machine.  I can still
ping it, though, so it knows the proper route (traceroute shows it
using _only_ internal routers, so it's not a case of someone with a
private i'net connection -- I hope & pray; the user swears not)

Any further ideas on what I should be looking at to figure this one
out?  I cannot figure out why these packets are going out the wrong
interface to the wrong router.  (The user doesn't report any
difficulties using the 'net.)


    [BTW, this relates to various appropriate usage discussions; the
     httpd logs show this user using the web to access plenty of places
     like penthousemag.com, and here I am spending my valuable time
     trying to figure out why it's affecting the whole company by its
     apparent impact on the firewall. :-P ]


                                   -=O=-

Follow-Ups:

Re: bastion netwk memory growth
From: peter @ nmti . com (Peter da Silva)

Indexed By Date	Previous:	Re: What is the impact ... From: Sick Puppy <sikpuppy @ maestro . com>
Indexed By Date	Next:	Routing problems From: Luis Verissimo <licau @ mardi-gras . eb . uah . edu>
Indexed By Thread	Previous:	Re: What is the impact ... From: Edgar Der-Danieliantz <edd @ AIC . NET>
Indexed By Thread	Next:	Re: bastion netwk memory growth From: peter @ nmti . com (Peter da Silva)