Date: Mon, 26 Oct 2009 11:15:51 +0200 From: cknipe@savage.za.org To: questions@freebsd.org Subject: ipf firewall, dropping connections Message-ID: <20091026111551.69696ynxutps434s@webmail1.konsoleh.co.za>
next in thread | raw e-mail | index | archive | help
Hi,
I'm runing 7.2 with IPFilter - main purpose is for a news server.
Many established connections are just dropped and closed, it seems to
be random, all allow rules are being affected. Any insight would be
appreciated. The machine is under heavy usage, averaging arround 150
to 200 connections per second.
[root@news ~]# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 22570422 passed 488309778 nomatch
146719580 counted 0 short 0
output packets: blocked 21885 passed 507034679 nomatch
160765161 counted 0 short 0
input packets logged: blocked 22570422 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 12571655 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 14100 lost 2770255
packet state(out): kept 22966740 lost 8078847
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 17487490 (out): 21607481
IN Pullups succeeded: 9 failed: 0
OUT Pullups succeeded: 1092 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 325071
Packet log flags set: (0)
none
[root@wa-cpt-news ~]# cat /etc/ipf.rules
###############################################################################
### Globals
###############################################################################
block in log quick all with frags
# TCP Fragments
block in log quick all with short
# Short Fragments
block in log quick all with ipopts
# Invalid IP Options
###############################################################################
### Loopback Interface
###############################################################################
pass in quick on lo0 from any to 127.0.0.0/8
pass out quick on lo0 from 127.0.0.0/8 to any
###############################################################################
## em0 - Public NIC
###############################################################################
# em0 - Outbound Traffic
pass out quick on em0 from a.a.a.a to any keep state
pass out quick on em0 from a.a.a.21 to any keep state
pass out quick on em0 from a.a.a.22 to any keep state
pass out quick on em0 from x.x.x.23 to any keep state
pass out quick on em0 from x.x.x.24 to any keep state
pass out quick on em0 from x.x.x.59.30 to any keep state
pass in quick on em0 from 196.220.59.0/27 to a.a.a.a
# Internal Network Traffic
pass in quick on em0 proto icmp from any to a.a.a.a keep state
# ICMP
pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port =
22 flags S keep state # SSH (Office Only)
pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port =
22 flags S keep state # SSH (Office Only)
pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port =
22 flags S keep state # SSH (Office Only)
pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port =
22 flags S keep state # SSH (Office Only)
pass in quick on em0 proto tcp from any port = 53 to a.a.a.a
# DNS (Responces)
pass in quick on em0 proto udp from any port = 53 to a.a.a.a
# DNS (Responces)
pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port =
80 # HTTP (Office Only)
pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port =
80 # HTTP (Office Only)
pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port =
80 # HTTP (Office Only)
pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port =
80 # HTTP (Office Only)
pass in quick on em0 proto tcp from x.185.0.0/16 to a.a.a.a port = 119
# NNTP
pass in quick on em0 proto tcp from x.211.26.0/24 to a.a.a.a port =
119 # NNTP
pass in quick on em0 proto tcp from x.220.32.0/19 to a.a.a.a port =
119 # NNTP
pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port =
119 # NNTP
pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port =
119 # NNTP
pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port =
119 # NNTP
pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port =
119 # NNTP
pass in quick on em0 proto udp from x.220.59.143/32 to a.a.a.a port =
161 # SNMP
pass in quick on em0 proto udp from x.220.63.47/32 to a.a.a.a port =
161 # SNTP
pass in quick on em0 proto udp from x.25.1.1 port = 123 to a.a.a.a
# NTP
pass in quick on em0 proto udp from x.25.1.9 port = 123 to a.a.a.a
# NTP
block in log quick on em0
# Deny Everything Else
normally, I would have flags S keep state for my tcp connections, but
I figured the state tables are runing full and therefore removed them.
With or without flags S keep state, makes no difference, connections
(new, as well as existing) are being dropped.
[root@news ~]# sysctl net.inet.ipf
net.inet.ipf.fr_minttl: 4
net.inet.ipf.fr_chksrc: 0
net.inet.ipf.fr_defaultauthage: 600
net.inet.ipf.fr_authused: 0
net.inet.ipf.fr_authsize: 32
net.inet.ipf.ipf_hostmap_sz: 2047
net.inet.ipf.ipf_rdrrules_sz: 127
net.inet.ipf.ipf_natrules_sz: 127
net.inet.ipf.ipf_nattable_sz: 2047
net.inet.ipf.fr_statemax: 4013
net.inet.ipf.fr_statesize: 5737
net.inet.ipf.fr_running: 1
net.inet.ipf.fr_ipfrttl: 120
net.inet.ipf.fr_defnatage: 1200
net.inet.ipf.fr_icmptimeout: 120
net.inet.ipf.fr_udpacktimeout: 24
net.inet.ipf.fr_udptimeout: 240
net.inet.ipf.fr_tcpclosed: 60
net.inet.ipf.fr_tcptimeout: 480
net.inet.ipf.fr_tcplastack: 60
net.inet.ipf.fr_tcpclosewait: 480
net.inet.ipf.fr_tcphalfclosed: 14400
net.inet.ipf.fr_tcpidletimeout: 864000
net.inet.ipf.fr_active: 0
net.inet.ipf.fr_pass: 134217730
net.inet.ipf.fr_flags: 0
[root@news ~]# sockstat -4|wc -l
1175
Any help much appreciated.
Regards,
Chris.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091026111551.69696ynxutps434s>