Security Incidents mailing list archives
Re: FreeBSD NATd problems
From: John Hall <j.hall () f5 com>
Date: Mon, 13 Aug 2001 14:41:45 -0700
It sounds like your connection table is growing huge for some reason. It is possible someone on an inside machine is doing portscans or other scanning which would open thousands of connections that may not be getting reaped. I'd tcpdump your inside interface and look for unusual traffic. Typically it's a hacked machine or someone on your inside network with too much time on their hands. It is also possible someone is bombarding your external interface with traffic that convinces natd to create connection table entries, but that seems less likely. I don't know enough about natd's internal operation, would an ACK scan jigger natd in that way? JMH Barry Irwin wrote:
I have a number of networks running with FreeBSD firewalls providing a nat service to a number of hosts behind the wall itself. Both outgoing nat, and port_redirection is provided. THis has been running stabily for over a year. However in the last 10 days I have had a number of these natd mprocesses suddenly bloat ( looking at 48Megs upwards when they normally sit at around 700K-1Meg. Ping times to the firewalls ( infact any packets passing through the natd process are delayed, it seems to suffer a type of exponential decay, with the highest delay I have recorded being in the order of 240 seconds!
...
Barry
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- FreeBSD NATd problems Barry Irwin (Aug 13)
- Re: FreeBSD NATd problems John Hall (Aug 13)
- <Possible follow-ups>
- RE: FreeBSD NATd problems Etienne Joubert (Aug 14)
- RE: FreeBSD NATd problems Mark Smith (Aug 14)