Hi Peter, I had these overflows when one of my customers had an infection by the slammer worm, which tried to spread over leased company-intranet links from one site to the other. We were the only site that had a firewall against the intranet installed, at that time SuSE 8.2. I tried to increase the buffers, like Bob is recommending, but the ARP table increased that fast and other buffers in IP stack were EATING memory, too, at very high rates. (A good bandwith test for the intranet lines, btw ;-) I realised, that some scanning was going on and tried to get something useful from the logs, I succeeded in changing the behaviour for unwanted Netbios traffic (mainly port 445) to DROP the packets instead of REJECTing them. It seems that dropping doesn't use much resources and that the "half open" connection attempts don't stick to the external interface, like they did before. HTH, Philipp Peter Nixon schrieb:
Hi Guys
Does anyone have any idea as to the following?
Mar 23 02:02:58 firewall kernel: Neighbour table overflow. Mar 23 02:02:58 firewall kernel: MASQUERADE: No route: Rusty's brain broke! Mar 23 02:03:03 firewall kernel: NET: 6 messages suppressed. Mar 23 02:03:03 firewall kernel: Neighbour table overflow. Mar 23 02:03:03 firewall kernel: MASQUERADE: No route: Rusty's brain broke! Mar 23 02:03:08 firewall kernel: NET: 6 messages suppressed. Mar 23 02:03:08 firewall kernel: Neighbour table overflow. Mar 23 02:03:10 firewall kernel: MASQUERADE: No route: Rusty's brain broke! Mar 23 02:03:11 firewall kernel: MASQUERADE: No route: Rusty's brain broke!
About here to firewall stops responding to the network.
This is a minimum SuSE 9.0 + SuSEfirewall2 box that has been running fine for 2 months until I added the following Policy based routing to push all traffic from the internal web proxy (10.10.1.4) out via a cheaper ADSL connection (10.13.1.2) instead of the more expensive Leased line (218.x.x.x)
ip route add 10.13.0.0/16 via 10.13.1.1 table networka proto static ip route add default via 10.13.1.2 table networka proto static
ip route add 218.x.x.y/29 via 218.x.x.x table networkb proto static ip route add default via 218.x.x.x table networkb proto static
ip rule add from 10.10.1.4 to 0/0 pref 15000 table networka
These 2 routes are actually on 2 different ethernet interfaces, but that should not make any difference.. SuSEfirewall is configured to MASQ on both external interfaces. (Yes, I know double nat to the ADSL "router" is not necessarily good, but it should work..)
TIA for any help..