Hi Guys Does anyone have any idea as to the following? Mar 23 02:02:58 firewall kernel: Neighbour table overflow. Mar 23 02:02:58 firewall kernel: MASQUERADE: No route: Rusty's brain broke! Mar 23 02:03:03 firewall kernel: NET: 6 messages suppressed. Mar 23 02:03:03 firewall kernel: Neighbour table overflow. Mar 23 02:03:03 firewall kernel: MASQUERADE: No route: Rusty's brain broke! Mar 23 02:03:08 firewall kernel: NET: 6 messages suppressed. Mar 23 02:03:08 firewall kernel: Neighbour table overflow. Mar 23 02:03:10 firewall kernel: MASQUERADE: No route: Rusty's brain broke! Mar 23 02:03:11 firewall kernel: MASQUERADE: No route: Rusty's brain broke! About here to firewall stops responding to the network. This is a minimum SuSE 9.0 + SuSEfirewall2 box that has been running fine for 2 months until I added the following Policy based routing to push all traffic from the internal web proxy (10.10.1.4) out via a cheaper ADSL connection (10.13.1.2) instead of the more expensive Leased line (218.x.x.x) ip route add 10.13.0.0/16 via 10.13.1.1 table networka proto static ip route add default via 10.13.1.2 table networka proto static ip route add 218.x.x.y/29 via 218.x.x.x table networkb proto static ip route add default via 218.x.x.x table networkb proto static ip rule add from 10.10.1.4 to 0/0 pref 15000 table networka These 2 routes are actually on 2 different ethernet interfaces, but that should not make any difference.. SuSEfirewall is configured to MASQ on both external interfaces. (Yes, I know double nat to the ADSL "router" is not necessarily good, but it should work..) TIA for any help.. -- Viel Spaß Peter Nixon - nix@susesecurity.com SuSE Security FAQ Maintainer http://www.susesecurity.com/faq/ "If you think cryptography will solve the problem, then you don't understand cryptography and you don't understand your problem."
Peter, I have encountered this problem when (for example) scanning the local network; possibly it could also indicate an intruder doing some port scanning. I did some googling which showed that the neighbour table is used by the kernel to contain ARP addresses, though I didn't manage to find out exactly what the consequences are when it fills up. Anyway you can increase its size which makes it less likely to fill up. I put the following lines in /etc/init.d/boot.local # Double the size of the ARP cache area to avoid "Neighbour table overflow" # messages (defaults are 128, 512, 1024). echo 256 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 Bob On Tue, 23 Mar 2004, Peter Nixon wrote:
Does anyone have any idea as to the following?
Mar 23 02:02:58 firewall kernel: Neighbour table overflow. Mar 23 02:02:58 firewall kernel: MASQUERADE: No route: Rusty's brain broke! Mar 23 02:03:03 firewall kernel: NET: 6 messages suppressed.
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Hi Peter, I had these overflows when one of my customers had an infection by the slammer worm, which tried to spread over leased company-intranet links from one site to the other. We were the only site that had a firewall against the intranet installed, at that time SuSE 8.2. I tried to increase the buffers, like Bob is recommending, but the ARP table increased that fast and other buffers in IP stack were EATING memory, too, at very high rates. (A good bandwith test for the intranet lines, btw ;-) I realised, that some scanning was going on and tried to get something useful from the logs, I succeeded in changing the behaviour for unwanted Netbios traffic (mainly port 445) to DROP the packets instead of REJECTing them. It seems that dropping doesn't use much resources and that the "half open" connection attempts don't stick to the external interface, like they did before. HTH, Philipp Peter Nixon schrieb:
Hi Guys
Does anyone have any idea as to the following?
Mar 23 02:02:58 firewall kernel: Neighbour table overflow. Mar 23 02:02:58 firewall kernel: MASQUERADE: No route: Rusty's brain broke! Mar 23 02:03:03 firewall kernel: NET: 6 messages suppressed. Mar 23 02:03:03 firewall kernel: Neighbour table overflow. Mar 23 02:03:03 firewall kernel: MASQUERADE: No route: Rusty's brain broke! Mar 23 02:03:08 firewall kernel: NET: 6 messages suppressed. Mar 23 02:03:08 firewall kernel: Neighbour table overflow. Mar 23 02:03:10 firewall kernel: MASQUERADE: No route: Rusty's brain broke! Mar 23 02:03:11 firewall kernel: MASQUERADE: No route: Rusty's brain broke!
About here to firewall stops responding to the network.
This is a minimum SuSE 9.0 + SuSEfirewall2 box that has been running fine for 2 months until I added the following Policy based routing to push all traffic from the internal web proxy (10.10.1.4) out via a cheaper ADSL connection (10.13.1.2) instead of the more expensive Leased line (218.x.x.x)
ip route add 10.13.0.0/16 via 10.13.1.1 table networka proto static ip route add default via 10.13.1.2 table networka proto static
ip route add 218.x.x.y/29 via 218.x.x.x table networkb proto static ip route add default via 218.x.x.x table networkb proto static
ip rule add from 10.10.1.4 to 0/0 pref 15000 table networka
These 2 routes are actually on 2 different ethernet interfaces, but that should not make any difference.. SuSEfirewall is configured to MASQ on both external interfaces. (Yes, I know double nat to the ADSL "router" is not necessarily good, but it should work..)
TIA for any help..
participants (3)
-
Bob Vickers
-
Peter Nixon
-
Philipp Rusch