From owner-freebsd-questions@FreeBSD.ORG Mon Nov 7 04:53:05 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A1BA1065703 for ; Mon, 7 Nov 2011 04:53:05 +0000 (UTC) (envelope-from MTaylor@bytecraft.com.au) Received: from bcmelmx.bytecraft.au.com (bcmelmx.bytecraft.au.com [203.39.118.2]) by mx1.freebsd.org (Postfix) with ESMTP id 7FBCA8FC13 for ; Mon, 7 Nov 2011 04:53:04 +0000 (UTC) Received: from svmailmarshal.bytecraft.internal (svmailmarshal.bytecraft.internal [10.48.0.3]) by bcmelmx.bytecraft.au.com (8.13.8/8.12.11) with ESMTP id pA74r2E0017675 for ; Mon, 7 Nov 2011 15:53:02 +1100 (EST) (envelope-from MTaylor@bytecraft.com.au) Received: from svmailmel.bytecraft.internal (Not Verified[10.48.0.24]) by svmailmarshal.bytecraft.internal with MailMarshal (v6, 8, 4, 9558) id ; Mon, 07 Nov 2011 15:53:02 +1100 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 7 Nov 2011 15:53:01 +1100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: issue with IPF firewall state tables Thread-Index: AcydCSC5IlOYyeYDQ+mquGHwRlSLbw== From: "Murray Taylor" To: "FreeBSD Questions" Subject: issue with IPF firewall state tables X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2011 04:53:05 -0000 Back Story: Old Server (X32 system, probably FreeBSD 4.3-ish)=20 New Server (Dual core, X64 with plenty of RAM) running 8.1-RELEASE New Server was put in production last night as a core router, with=20 the same rc.conf, firewall rule set and config from the old router=20 that has been working for years. At around 12 Lunchtime we had reports of no internet connectivity,=20 I've jumped onto the router and seen that it is blocking a whole=20 heap of internal to external DNS server traffic, along with other=20 would-be allowed traffic. I promptly flushed the firewall ruleset with "ipf -Fa", and noted=20 that the rules did clear - Issue still existing. I re-loaded the rule set, no change. Upon restart, the router began to behave itself again... I have been using "ipfstat -ts | grep active" to get a count of=20 state entries, and comparing to the 4013 default. We are sitting on around ~2000 state entries. I am aware I can=20 flush the state table, but until the router breaks itself again,=20 I cannot clear it. Does this sound like a full state table? Am I using the best=20 method to check? Is there any form of notification that this=20 is happening anywhere? --=20 Murray Taylor Bytecraft Systems Special Projects Engineer P: +61 3 8710 0600 D: +61 3 9238 5168 F: +61 3 9238 5140 =20|_|0|_| "Absence of evidence =20|_|_|0| is not evidence of absence" =20|0|0|0| Carl Sagan =20 --------------------------------------------------------------- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material.=20 E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --------------------------------------------------------------- ### This e-mail message has been scanned for Viruses by Bytecraft ###