Freebsd – How to drop all connections to a given host under FreeBSD

connectionsfreebsdtcp

I know about tcpdrop which is in base distribution. But this tool requires port numbers to be specified. Is there any tool to drop connections by IP?

Best Answer

Well, you could use some unix tools to give you the proper tcpdrop syntax and just run it through xargs in your own script I think. Here's an ugly example, there are probably prettier ways:

netstat -an | grep $IPADDR | awk '{print $4"."$5}' | awk -F '\.' '{print $1"."$2"."$3"."$4" "$5" "$6"."$7"."$8"."$9" "$10}' | xargs tcpdrop

This uses awk to peel out the two IP/port pairs and then glue them together with a dot so you can use another awk to just spit out the desired dotted quad space port syntax.

There's probably a slicker all-in-one regex that's more clear. $IPADDR is the ip you want to drop.

Related Solutions

Can’t connect to port 80, connections are all stuck SYN_RECV

Check that your /etc/hosts.deny isn't corrupted. That happened to me once and caused extremely bizarre problems with hung netowkr services.

Check your firewall rules (sudo /sbin/iptables -nvL). You could have your firewall configured to allow incoming connections but block outgoing connections, causing incoming connections to hang.

Can you connect to those ports on the machine itself? For example, if you are logged on to the system, does running telnet localhost 80 do anything?

Anything interesting in logfiles like /var/log/secure or /var/log/messages?

FreeBSD netstat -di, Idrop vs Drop and drop count from NIC or kernel

Lack of software decsriptors (i.e mbuf clusters) can be observed via:

# vmstat -z

Look at FAIL column.

Lack of hardware descriptors can be observed only via driver-specific interface e.g for Intel e1000 cards via:

# sysctl dev.em.0.debug=1 && dmesg | tail
...
em0: Tx Descriptors avail failure = 0
em0: RX discarded packets = 0
...

Also descriptor count can be tuned via loader.conf in some NICs

Regarding your question "idrops vs. drops" you should look sources for

if_data.ifi_iqdrops
if_snd.ifq_drops

If I understood correctly one is for input drops other for output drops (i.e ALTQ).

PS. For additional information refer to Section 3.3 "ifnet structure" of the TCP/IP Illustrated Volume 2, Stevens & Wright. Or source code of you OS.

Best Answer

Related Solutions

Can’t connect to port 80, connections are all stuck SYN_RECV

FreeBSD netstat -di, Idrop vs Drop and drop count from NIC or kernel

Related Topic