Date: Mon, 26 Oct 2009 03:52:34 -0700 From: phantomcircuit <phantomcircuit@covertinferno.org> To: freebsd-questions@freebsd.org Subject: Re: ipf firewall, dropping connections Message-ID: <4AE57F72.4040205@covertinferno.org> In-Reply-To: <20091026111551.69696ynxutps434s@webmail1.konsoleh.co.za> References: <20091026111551.69696ynxutps434s@webmail1.konsoleh.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm guessing you have kernel tuning issues that have nothing to do with the firewall. http://www.freebsd.org/doc/en/books/handbook/configtuning-kernel-limits.html cknipe@savage.za.org wrote: > > Hi, > > I'm runing 7.2 with IPFilter - main purpose is for a news server. > > Many established connections are just dropped and closed, it seems to > be random, all allow rules are being affected. Any insight would be > appreciated. The machine is under heavy usage, averaging arround 150 > to 200 connections per second. > > [root@news ~]# ipfstat > bad packets: in 0 out 0 > IPv6 packets: in 0 out 0 > input packets: blocked 22570422 passed 488309778 nomatch > 146719580 counted 0 short 0 > output packets: blocked 21885 passed 507034679 nomatch > 160765161 counted 0 short 0 > input packets logged: blocked 22570422 passed 0 > output packets logged: blocked 0 passed 0 > packets logged: input 0 output 0 > log failures: input 12571655 output 0 > fragment state(in): kept 0 lost 0 not fragmented 0 > fragment state(out): kept 0 lost 0 not fragmented 0 > packet state(in): kept 14100 lost 2770255 > packet state(out): kept 22966740 lost 8078847 > ICMP replies: 0 TCP RSTs sent: 0 > Invalid source(in): 0 > Result cache hits(in): 17487490 (out): 21607481 > IN Pullups succeeded: 9 failed: 0 > OUT Pullups succeeded: 1092 failed: 0 > Fastroute successes: 0 failures: 0 > TCP cksum fails(in): 0 (out): 0 > IPF Ticks: 325071 > Packet log flags set: (0) > none > > [root@wa-cpt-news ~]# cat /etc/ipf.rules > ############################################################################### > > ### Globals > ############################################################################### > > block in log quick all with frags > # TCP Fragments > block in log quick all with short > # Short Fragments > block in log quick all with ipopts > # Invalid IP Options > > ############################################################################### > > ### Loopback Interface > ############################################################################### > > pass in quick on lo0 from any to 127.0.0.0/8 > pass out quick on lo0 from 127.0.0.0/8 to any > > ############################################################################### > > ## em0 - Public NIC > ############################################################################### > > # em0 - Outbound Traffic > pass out quick on em0 from a.a.a.a to any keep state > pass out quick on em0 from a.a.a.21 to any keep state > pass out quick on em0 from a.a.a.22 to any keep state > pass out quick on em0 from x.x.x.23 to any keep state > pass out quick on em0 from x.x.x.24 to any keep state > pass out quick on em0 from x.x.x.59.30 to any keep state > > pass in quick on em0 from 196.220.59.0/27 to a.a.a.a > # Internal Network Traffic > pass in quick on em0 proto icmp from any to a.a.a.a keep state > # ICMP > pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = > 22 flags S keep state # SSH (Office Only) > pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = > 22 flags S keep state # SSH (Office Only) > pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = > 22 flags S keep state # SSH (Office Only) > pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = > 22 flags S keep state # SSH (Office Only) > pass in quick on em0 proto tcp from any port = 53 to a.a.a.a > # DNS (Responces) > pass in quick on em0 proto udp from any port = 53 to a.a.a.a > # DNS (Responces) > pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = > 80 # HTTP (Office Only) > pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = > 80 # HTTP (Office Only) > pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = > 80 # HTTP (Office Only) > pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = > 80 # HTTP (Office Only) > pass in quick on em0 proto tcp from x.185.0.0/16 to a.a.a.a port = 119 > # NNTP > pass in quick on em0 proto tcp from x.211.26.0/24 to a.a.a.a port = > 119 # NNTP > pass in quick on em0 proto tcp from x.220.32.0/19 to a.a.a.a port = > 119 # NNTP > pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = > 119 # NNTP > pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = > 119 # NNTP > pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = > 119 # NNTP > pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = > 119 # NNTP > pass in quick on em0 proto udp from x.220.59.143/32 to a.a.a.a port = > 161 # SNMP > pass in quick on em0 proto udp from x.220.63.47/32 to a.a.a.a port = > 161 # SNTP > pass in quick on em0 proto udp from x.25.1.1 port = 123 to a.a.a.a > # NTP > pass in quick on em0 proto udp from x.25.1.9 port = 123 to a.a.a.a > # NTP > > block in log quick on em0 > # Deny Everything Else > > > normally, I would have flags S keep state for my tcp connections, but > I figured the state tables are runing full and therefore removed them. > With or without flags S keep state, makes no difference, connections > (new, as well as existing) are being dropped. > > [root@news ~]# sysctl net.inet.ipf > net.inet.ipf.fr_minttl: 4 > net.inet.ipf.fr_chksrc: 0 > net.inet.ipf.fr_defaultauthage: 600 > net.inet.ipf.fr_authused: 0 > net.inet.ipf.fr_authsize: 32 > net.inet.ipf.ipf_hostmap_sz: 2047 > net.inet.ipf.ipf_rdrrules_sz: 127 > net.inet.ipf.ipf_natrules_sz: 127 > net.inet.ipf.ipf_nattable_sz: 2047 > net.inet.ipf.fr_statemax: 4013 > net.inet.ipf.fr_statesize: 5737 > net.inet.ipf.fr_running: 1 > net.inet.ipf.fr_ipfrttl: 120 > net.inet.ipf.fr_defnatage: 1200 > net.inet.ipf.fr_icmptimeout: 120 > net.inet.ipf.fr_udpacktimeout: 24 > net.inet.ipf.fr_udptimeout: 240 > net.inet.ipf.fr_tcpclosed: 60 > net.inet.ipf.fr_tcptimeout: 480 > net.inet.ipf.fr_tcplastack: 60 > net.inet.ipf.fr_tcpclosewait: 480 > net.inet.ipf.fr_tcphalfclosed: 14400 > net.inet.ipf.fr_tcpidletimeout: 864000 > net.inet.ipf.fr_active: 0 > net.inet.ipf.fr_pass: 134217730 > net.inet.ipf.fr_flags: 0 > > [root@news ~]# sockstat -4|wc -l > 1175 > > Any help much appreciated. > > Regards, > Chris. > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AE57F72.4040205>