From owner-freebsd-questions@FreeBSD.ORG Mon Oct 26 11:08:14 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D8231065698 for ; Mon, 26 Oct 2009 11:08:14 +0000 (UTC) (envelope-from phantomcircuit@covertinferno.org) Received: from mail.covertinferno.org (adsl-76-199-103-28.dsl.pltn13.sbcglobal.net [76.199.103.28]) by mx1.freebsd.org (Postfix) with ESMTP id E19068FC27 for ; Mon, 26 Oct 2009 11:08:13 +0000 (UTC) Received: from [192.168.1.121] (unknown [192.168.1.1]) by mail.covertinferno.org (Postfix) with ESMTPSA id A945C12CA78 for ; Mon, 26 Oct 2009 10:52:33 +0000 (UTC) Message-ID: <4AE57F72.4040205@covertinferno.org> Date: Mon, 26 Oct 2009 03:52:34 -0700 From: phantomcircuit User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20091026111551.69696ynxutps434s@webmail1.konsoleh.co.za> In-Reply-To: <20091026111551.69696ynxutps434s@webmail1.konsoleh.co.za> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipf firewall, dropping connections X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2009 11:08:14 -0000 I'm guessing you have kernel tuning issues that have nothing to do with the firewall. http://www.freebsd.org/doc/en/books/handbook/configtuning-kernel-limits.html cknipe@savage.za.org wrote: > > Hi, > > I'm runing 7.2 with IPFilter - main purpose is for a news server. > > Many established connections are just dropped and closed, it seems to > be random, all allow rules are being affected. Any insight would be > appreciated. The machine is under heavy usage, averaging arround 150 > to 200 connections per second. > > [root@news ~]# ipfstat > bad packets: in 0 out 0 > IPv6 packets: in 0 out 0 > input packets: blocked 22570422 passed 488309778 nomatch > 146719580 counted 0 short 0 > output packets: blocked 21885 passed 507034679 nomatch > 160765161 counted 0 short 0 > input packets logged: blocked 22570422 passed 0 > output packets logged: blocked 0 passed 0 > packets logged: input 0 output 0 > log failures: input 12571655 output 0 > fragment state(in): kept 0 lost 0 not fragmented 0 > fragment state(out): kept 0 lost 0 not fragmented 0 > packet state(in): kept 14100 lost 2770255 > packet state(out): kept 22966740 lost 8078847 > ICMP replies: 0 TCP RSTs sent: 0 > Invalid source(in): 0 > Result cache hits(in): 17487490 (out): 21607481 > IN Pullups succeeded: 9 failed: 0 > OUT Pullups succeeded: 1092 failed: 0 > Fastroute successes: 0 failures: 0 > TCP cksum fails(in): 0 (out): 0 > IPF Ticks: 325071 > Packet log flags set: (0) > none > > [root@wa-cpt-news ~]# cat /etc/ipf.rules > ############################################################################### > > ### Globals > ############################################################################### > > block in log quick all with frags > # TCP Fragments > block in log quick all with short > # Short Fragments > block in log quick all with ipopts > # Invalid IP Options > > ############################################################################### > > ### Loopback Interface > ############################################################################### > > pass in quick on lo0 from any to 127.0.0.0/8 > pass out quick on lo0 from 127.0.0.0/8 to any > > ############################################################################### > > ## em0 - Public NIC > ############################################################################### > > # em0 - Outbound Traffic > pass out quick on em0 from a.a.a.a to any keep state > pass out quick on em0 from a.a.a.21 to any keep state > pass out quick on em0 from a.a.a.22 to any keep state > pass out quick on em0 from x.x.x.23 to any keep state > pass out quick on em0 from x.x.x.24 to any keep state > pass out quick on em0 from x.x.x.59.30 to any keep state > > pass in quick on em0 from 196.220.59.0/27 to a.a.a.a > # Internal Network Traffic > pass in quick on em0 proto icmp from any to a.a.a.a keep state > # ICMP > pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = > 22 flags S keep state # SSH (Office Only) > pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = > 22 flags S keep state # SSH (Office Only) > pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = > 22 flags S keep state # SSH (Office Only) > pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = > 22 flags S keep state # SSH (Office Only) > pass in quick on em0 proto tcp from any port = 53 to a.a.a.a > # DNS (Responces) > pass in quick on em0 proto udp from any port = 53 to a.a.a.a > # DNS (Responces) > pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = > 80 # HTTP (Office Only) > pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = > 80 # HTTP (Office Only) > pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = > 80 # HTTP (Office Only) > pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = > 80 # HTTP (Office Only) > pass in quick on em0 proto tcp from x.185.0.0/16 to a.a.a.a port = 119 > # NNTP > pass in quick on em0 proto tcp from x.211.26.0/24 to a.a.a.a port = > 119 # NNTP > pass in quick on em0 proto tcp from x.220.32.0/19 to a.a.a.a port = > 119 # NNTP > pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = > 119 # NNTP > pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = > 119 # NNTP > pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = > 119 # NNTP > pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = > 119 # NNTP > pass in quick on em0 proto udp from x.220.59.143/32 to a.a.a.a port = > 161 # SNMP > pass in quick on em0 proto udp from x.220.63.47/32 to a.a.a.a port = > 161 # SNTP > pass in quick on em0 proto udp from x.25.1.1 port = 123 to a.a.a.a > # NTP > pass in quick on em0 proto udp from x.25.1.9 port = 123 to a.a.a.a > # NTP > > block in log quick on em0 > # Deny Everything Else > > > normally, I would have flags S keep state for my tcp connections, but > I figured the state tables are runing full and therefore removed them. > With or without flags S keep state, makes no difference, connections > (new, as well as existing) are being dropped. > > [root@news ~]# sysctl net.inet.ipf > net.inet.ipf.fr_minttl: 4 > net.inet.ipf.fr_chksrc: 0 > net.inet.ipf.fr_defaultauthage: 600 > net.inet.ipf.fr_authused: 0 > net.inet.ipf.fr_authsize: 32 > net.inet.ipf.ipf_hostmap_sz: 2047 > net.inet.ipf.ipf_rdrrules_sz: 127 > net.inet.ipf.ipf_natrules_sz: 127 > net.inet.ipf.ipf_nattable_sz: 2047 > net.inet.ipf.fr_statemax: 4013 > net.inet.ipf.fr_statesize: 5737 > net.inet.ipf.fr_running: 1 > net.inet.ipf.fr_ipfrttl: 120 > net.inet.ipf.fr_defnatage: 1200 > net.inet.ipf.fr_icmptimeout: 120 > net.inet.ipf.fr_udpacktimeout: 24 > net.inet.ipf.fr_udptimeout: 240 > net.inet.ipf.fr_tcpclosed: 60 > net.inet.ipf.fr_tcptimeout: 480 > net.inet.ipf.fr_tcplastack: 60 > net.inet.ipf.fr_tcpclosewait: 480 > net.inet.ipf.fr_tcphalfclosed: 14400 > net.inet.ipf.fr_tcpidletimeout: 864000 > net.inet.ipf.fr_active: 0 > net.inet.ipf.fr_pass: 134217730 > net.inet.ipf.fr_flags: 0 > > [root@news ~]# sockstat -4|wc -l > 1175 > > Any help much appreciated. > > Regards, > Chris. > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"