From owner-freebsd-questions@FreeBSD.ORG Mon Jan 5 10:09:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0268716A4D0 for ; Mon, 5 Jan 2004 10:09:30 -0800 (PST) Received: from perimeter.co.za (obelix.perimeter.co.za [209.212.102.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A61743D45 for ; Mon, 5 Jan 2004 10:09:22 -0800 (PST) (envelope-from bsd@perimeter.co.za) Received: from impedimenta ([196.30.116.180]) (AUTH: LOGIN bsd@perimeter.co.za) by perimeter.co.za with esmtp; Mon, 05 Jan 2004 20:08:56 +0200 Message-ID: <004901c3d3b6$fc84b510$b4741ec4@impedimenta> From: "Patrick O'Reilly" To: fbsd_user@a1poweruser.com References: Date: Mon, 5 Jan 2004 20:08:50 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 cc: FreeBSD Question List Subject: Re: Apparent packet duplication logged by IPF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2004 18:09:30 -0000 Thanks. I am a little apprehensive about publishing my entire firewall ruleset on a public list, as you can surely understand. Especially since I am still learning, and will probably show everyone some glaring holes which have not yet closed... Anyway, the entire ruleset does not have a single log directive: --- root fox:~# ipfstat -nioh | grep log root fox:~# --- I have enabled global logging of accepted packets by 'ipf -l pass'. Also, as you can see in the extract I sent all the packets being logged are from my rule #21, so I think that rules out duplication due to multiple rule matches. Rule 21 is for HTTPS traffic, and it does Keep State, as can be seen in the log entries too. As for nat, the only rule I have which affects 192.168.0.180 is this: --- map ed1 from 192.168.0.0/16 to any -> 168.209.221.66/32 --- The result of this NAT rule can be seen in snip (2) included with my original mail. If this is not enough info I'll email you direct with more... Thanks for your response. Patrick. ----- Original Message ----- From: "fbsd_user" To: Sent: Monday, January 05, 2004 3:40 PM Subject: RE: Apparent packet duplication logged by IPF > Kind of like asking someone to work in the dark. You need to post > your rules for both ipf & ipnat so people can compare the log > results to the actual rules. > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of > bsd@perimeter.co.za > Sent: Monday, January 05, 2004 3:00 AM > To: FreeBSD Question List > Subject: IPF: Apparent packet duplication logged by IPF > > Hi all. > > I am having a strange situation with IPF. I am trying to log all > passed > packets (the log is passed to a third-party stats program for > graphical > analysis). > > The problem is that I see many packets apparently being duplicated > in the > ipmon.log. The packet enters the firewall from the internal > interface OK, > but it appears to be transmitted out to the internet twice. > Conversely, > there are often multiple inbound packets from the internet which > become just > one on the internal interface. > > See these two examples (beware of line-wrap): > 1) Internet to LAN > 09:30:00.508378 2x ed1 @0:21 P 196.35.72.139,443 -> > 192.168.0.180,1277 PR > tcp len 20 296 -AP K-S IN > 09:30:00.509446 hdlc5 @0:21 P 196.35.72.139,443 -> > 192.168.0.180,1277 PR tcp > len 20 296 -AP K-S OUT > > 2) LAN to internet (168.209.221.66 is my NAT address) > 09:30:00.616102 hdlc5 @0:21 P 192.168.0.180,1277 -> > 196.35.72.139,443 PR tcp > len 20 40 -A K-S IN > 09:30:00.616188 ed1 @0:21 P 168.209.221.66,1277 -> 196.35.72.139,443 > PR tcp > len 20 40 -A K-S OUT > 09:30:00.616275 ed1 @0:21 P 168.209.221.66,1277 -> 196.35.72.139,443 > PR tcp > len 20 40 -A K-S OUT > > I don't believe the packets are ACTUALLY being resent twice, because > the > stats I have under MRTG indicate matching traffic volumes on the > corresponding interfaces. I suspect the issue has something to do > with how > IPF and IPMON log the packets. But I'm not sure. > > Any help in understanding/fixing this would be greatly appreciated. > > Regards, > Patrick O'Reilly. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > >