From owner-freebsd-net@FreeBSD.ORG Tue Apr 22 06:11:36 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 472E937B401 for ; Tue, 22 Apr 2003 06:11:36 -0700 (PDT) Received: from mailout.informatik.tu-muenchen.de (mailout.informatik.tu-muenchen.de [131.159.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0E5E43F93 for ; Tue, 22 Apr 2003 06:11:34 -0700 (PDT) (envelope-from langd@informatik.tu-muenchen.de) Received: from mailrelay1.informatik.tu-muenchen.de (mailrelay1.informatik.tu-muenchen.de [131.159.254.5]) by mailout.informatik.tu-muenchen.de (Postfix) with ESMTP id 436876156; Tue, 22 Apr 2003 15:11:34 +0200 (MEST) Received: from atrbg11.informatik.tu-muenchen.de (atrbg11.informatik.tu-muenchen.de [131.159.42.129]) by mailrelay1.informatik.tu-muenchen.de (Postfix) with ESMTP id 3597F7943; Tue, 22 Apr 2003 15:11:34 +0200 (MEST) Received: by atrbg11.informatik.tu-muenchen.de (Postfix, from userid 20455) id D83ED13B5D; Tue, 22 Apr 2003 15:11:33 +0200 (CEST) Date: Tue, 22 Apr 2003 15:11:33 +0200 From: Daniel Lang To: Martin Stiemerling Message-ID: <20030422131133.GI49848@atrbg11.informatik.tu-muenchen.de> References: <20030417072027.GA38782@atrbg11.informatik.tu-muenchen.de> <3E9E6D34.5020100@ccrle.nec.de> <20030422083532.GB49848@atrbg11.informatik.tu-muenchen.de> <3EA508EB.5020906@ccrle.nec.de> <20030422093422.GE49848@atrbg11.informatik.tu-muenchen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030422093422.GE49848@atrbg11.informatik.tu-muenchen.de> X-Geek: GCS/CC d-- s: a- C++$ UBS++++$ P+++$ L- E-(---) W+++(--) N++ o K w--- O? M? V? PS+(++) PE--(+) Y+ PGP+ t++ 5+++ X R+(-) tv+ b+ DI++ D++ G++ e+++ h---(-) r++>+++ y+ User-Agent: Mutt/1.5.1i cc: freebsd-net@freebsd.org Subject: Re: IPfilter changes? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2003 13:11:36 -0000 Hi Again, Daniel Lang wrote on Tue, Apr 22, 2003 at 11:34:22AM +0200: [..] > > NEW > pass out quick proto tcp from any to any flags S keep state keep frags > Ok. I will try to change this rule and see, if it helps. > YES. If I put this rule in front of the rule above, I immediately > get a connection. > > What does that mean? The original rule of mine should be more general, > i.e. include the situation with the SYN flag set. But it doesn't? > > Using this rule is a better workaround than to allow all hosts > explicitly, but it still doesn't help me with UDP I guess. Updated situation. It ceased working! I just checked again without changing everything and the rule still in place. But it no longer works, the packets are again blocked, as I can see in ipfilters log. Now I get the impression, that there is maybe a limit for the state tables for each "keep state" rule, and if that is hit, no more states can be added. I'll make a few tests... Ok, I've added another such rule, similar but with a specific source ip instead of any, to get it added. It worked for a few times, then suddenly the packets are beeing blocked again, just after a few hits. Heres the ipfstat -hoi output: [..] 48 pass out quick proto tcp from 131.159.72.12/32 to any flags S/FSRPAU keep state keep frags 2706 pass out quick proto tcp from any to any flags S/FSRPAU keep state keep frags 1789457 pass out quick proto tcp/udp from any to any keep state keep frags [..] Other things I could find out: If the ruleset has changed and is reloaded (ipf -Fa -f /file/with/rules) it works again for a while. Even without the "flags S" rule but with the original tcp/udp rule. Flushing the state stable (small): ipf -Fs did help, but not always. I've issued this a couple of times, and suddenly it worked again. Flushing all states: ipf -FS helped a lot. It works much longer than just flushing incomplete states. However, ipfstat -s always shows: [..] 0 no memory [..] So it's not like the states don't get added because of that.... Well, a crontab entry with ipf -FS every hour would not be a very clean solution. Any more hints, how to debug this further appreciated. Thanks, Daniel -- IRCnet: Mr-Spock - Work is for people, who don't surf - Daniel Lang * dl@leo.org * +49 89 289 18532 * http://www.leo.org/~dl/