From owner-freebsd-questions@FreeBSD.ORG Mon Oct 26 09:31:10 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E8F31065679 for ; Mon, 26 Oct 2009 09:31:10 +0000 (UTC) (envelope-from cknipe@savage.za.org) Received: from www39.cpt2.host-h.net (www39.cpt2.host-h.net [41.204.202.39]) by mx1.freebsd.org (Postfix) with ESMTP id DA02C8FC14 for ; Mon, 26 Oct 2009 09:31:06 +0000 (UTC) Received: from webmail1.cpt2.host-h.net ([41.203.8.240] helo=savage.za.org) by www39.cpt2.host-h.net with esmtpa (Exim 4.66) (envelope-from ) id 1N2Lg9-0005b0-0f for questions@freebsd.org; Mon, 26 Oct 2009 11:15:53 +0200 Received: from 196.220.63.238 ([196.220.63.238]) by webmail1.konsoleh.co.za (Horde Framework) with HTTP; Mon, 26 Oct 2009 11:15:51 +0200 Message-ID: <20091026111551.69696ynxutps434s@webmail1.konsoleh.co.za> Date: Mon, 26 Oct 2009 11:15:51 +0200 From: cknipe@savage.za.org To: questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Dynamic Internet Messaging Program (DIMP) H3 (1.1.3) X-Authenticated-Sender: cknipe@savage.za.org X-Virus-Scanned: Clear (ClamAV 0.95.2/9940/Mon Oct 26 03:47:14 2009) Cc: Subject: ipf firewall, dropping connections X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2009 09:31:10 -0000 Hi, I'm runing 7.2 with IPFilter - main purpose is for a news server. Many established connections are just dropped and closed, it seems to be random, all allow rules are being affected. Any insight would be appreciated. The machine is under heavy usage, averaging arround 150 to 200 connections per second. [root@news ~]# ipfstat bad packets: in 0 out 0 IPv6 packets: in 0 out 0 input packets: blocked 22570422 passed 488309778 nomatch 146719580 counted 0 short 0 output packets: blocked 21885 passed 507034679 nomatch 160765161 counted 0 short 0 input packets logged: blocked 22570422 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 12571655 output 0 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out): kept 0 lost 0 not fragmented 0 packet state(in): kept 14100 lost 2770255 packet state(out): kept 22966740 lost 8078847 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 17487490 (out): 21607481 IN Pullups succeeded: 9 failed: 0 OUT Pullups succeeded: 1092 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 IPF Ticks: 325071 Packet log flags set: (0) none [root@wa-cpt-news ~]# cat /etc/ipf.rules ############################################################################### ### Globals ############################################################################### block in log quick all with frags # TCP Fragments block in log quick all with short # Short Fragments block in log quick all with ipopts # Invalid IP Options ############################################################################### ### Loopback Interface ############################################################################### pass in quick on lo0 from any to 127.0.0.0/8 pass out quick on lo0 from 127.0.0.0/8 to any ############################################################################### ## em0 - Public NIC ############################################################################### # em0 - Outbound Traffic pass out quick on em0 from a.a.a.a to any keep state pass out quick on em0 from a.a.a.21 to any keep state pass out quick on em0 from a.a.a.22 to any keep state pass out quick on em0 from x.x.x.23 to any keep state pass out quick on em0 from x.x.x.24 to any keep state pass out quick on em0 from x.x.x.59.30 to any keep state pass in quick on em0 from 196.220.59.0/27 to a.a.a.a # Internal Network Traffic pass in quick on em0 proto icmp from any to a.a.a.a keep state # ICMP pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 22 flags S keep state # SSH (Office Only) pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 22 flags S keep state # SSH (Office Only) pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 22 flags S keep state # SSH (Office Only) pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = 22 flags S keep state # SSH (Office Only) pass in quick on em0 proto tcp from any port = 53 to a.a.a.a # DNS (Responces) pass in quick on em0 proto udp from any port = 53 to a.a.a.a # DNS (Responces) pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 80 # HTTP (Office Only) pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 80 # HTTP (Office Only) pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 80 # HTTP (Office Only) pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = 80 # HTTP (Office Only) pass in quick on em0 proto tcp from x.185.0.0/16 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.211.26.0/24 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.220.32.0/19 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = 119 # NNTP pass in quick on em0 proto udp from x.220.59.143/32 to a.a.a.a port = 161 # SNMP pass in quick on em0 proto udp from x.220.63.47/32 to a.a.a.a port = 161 # SNTP pass in quick on em0 proto udp from x.25.1.1 port = 123 to a.a.a.a # NTP pass in quick on em0 proto udp from x.25.1.9 port = 123 to a.a.a.a # NTP block in log quick on em0 # Deny Everything Else normally, I would have flags S keep state for my tcp connections, but I figured the state tables are runing full and therefore removed them. With or without flags S keep state, makes no difference, connections (new, as well as existing) are being dropped. [root@news ~]# sysctl net.inet.ipf net.inet.ipf.fr_minttl: 4 net.inet.ipf.fr_chksrc: 0 net.inet.ipf.fr_defaultauthage: 600 net.inet.ipf.fr_authused: 0 net.inet.ipf.fr_authsize: 32 net.inet.ipf.ipf_hostmap_sz: 2047 net.inet.ipf.ipf_rdrrules_sz: 127 net.inet.ipf.ipf_natrules_sz: 127 net.inet.ipf.ipf_nattable_sz: 2047 net.inet.ipf.fr_statemax: 4013 net.inet.ipf.fr_statesize: 5737 net.inet.ipf.fr_running: 1 net.inet.ipf.fr_ipfrttl: 120 net.inet.ipf.fr_defnatage: 1200 net.inet.ipf.fr_icmptimeout: 120 net.inet.ipf.fr_udpacktimeout: 24 net.inet.ipf.fr_udptimeout: 240 net.inet.ipf.fr_tcpclosed: 60 net.inet.ipf.fr_tcptimeout: 480 net.inet.ipf.fr_tcplastack: 60 net.inet.ipf.fr_tcpclosewait: 480 net.inet.ipf.fr_tcphalfclosed: 14400 net.inet.ipf.fr_tcpidletimeout: 864000 net.inet.ipf.fr_active: 0 net.inet.ipf.fr_pass: 134217730 net.inet.ipf.fr_flags: 0 [root@news ~]# sockstat -4|wc -l 1175 Any help much appreciated. Regards, Chris.