Date: Mon, 7 Nov 2011 15:53:01 +1100 From: "Murray Taylor" <MTaylor@bytecraft.com.au> To: "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: issue with IPF firewall state tables Message-ID: <E194A4DE220BBE4FAF3AB7C4E7EDA08601CB9749@svmailmel.bytecraft.internal>
next in thread | raw e-mail | index | archive | help
Back Story: Old Server (X32 system, probably FreeBSD 4.3-ish)=20 New Server (Dual core, X64 with plenty of RAM) running 8.1-RELEASE New Server was put in production last night as a core router, with=20 the same rc.conf, firewall rule set and config from the old router=20 that has been working for years. At around 12 Lunchtime we had reports of no internet connectivity,=20 I've jumped onto the router and seen that it is blocking a whole=20 heap of internal to external DNS server traffic, along with other=20 would-be allowed traffic. I promptly flushed the firewall ruleset with "ipf -Fa", and noted=20 that the rules did clear - Issue still existing. I re-loaded the rule set, no change. Upon restart, the router began to behave itself again... I have been using "ipfstat -ts | grep active" to get a count of=20 state entries, and comparing to the 4013 default. We are sitting on around ~2000 state entries. I am aware I can=20 flush the state table, but until the router breaks itself again,=20 I cannot clear it. Does this sound like a full state table? Am I using the best=20 method to check? Is there any form of notification that this=20 is happening anywhere? --=20 Murray Taylor Bytecraft Systems Special Projects Engineer P: +61 3 8710 0600 D: +61 3 9238 5168 F: +61 3 9238 5140 =20|_|0|_| "Absence of evidence =20|_|_|0| is not evidence of absence" =20|0|0|0| Carl Sagan =20 --------------------------------------------------------------- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material.=20 E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --------------------------------------------------------------- ### This e-mail message has been scanned for Viruses by Bytecraft ###
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E194A4DE220BBE4FAF3AB7C4E7EDA08601CB9749>