Re: FreeBSD NATd problems

[John Hall <j.hall () f5 com>]

It sounds like your connection table is growing huge for some reason.

It is possible someone on an inside machine is doing portscans or
other scanning which would open thousands of connections that may
not be getting reaped.  I'd tcpdump your inside interface and look
for unusual traffic.  Typically it's a hacked machine or someone on
your inside network with too much time on their hands.

It is also possible someone is bombarding your external interface
with traffic that convinces natd to create connection table entries,
but that seems less likely.  I don't know enough about natd's internal
operation, would an ACK scan jigger natd in that way?

JMH

Barry Irwin wrote:
> I have a number of networks running with FreeBSD firewalls providing a
> nat service to a number of hosts behind the wall itself. Both outgoing nat,
> and port_redirection is provided.  THis has been running stabily for over a
> year.  However in the last 10 days I have had a number of these natd
> mprocesses suddenly bloat ( looking at 48Megs upwards when they normally sit
> at around 700K-1Meg.  Ping times to the firewalls ( infact any packets
> passing through the natd process are delayed, it seems to suffer a type of
> exponential decay, with the highest delay I have recorded being in the order
> of 240 seconds!
...
> Barry

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com