Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Jan 2006 14:06:58 -0600
From:      Jacob S <stormspotter@6Texans.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: Ipf problem
Message-ID:  <20060110200658.GE22508@6texans.net>
In-Reply-To: <20060106140514.GC2217@flame.pc>
References:  <20060106001744.6aa1367d@jacob.6texans.net> <20060106140514.GC2217@flame.pc>

next in thread | previous in thread | raw e-mail | index | archive | help

--pY3vCvL1qV+PayAL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jan 06, 2006 at 04:05:14PM +0200, Giorgos Keramidas wrote:
> On 2006-01-06 00:17, Jacob S <stormspotter@6Texans.net> wrote:
> > Hello list,
> >
> > I'm having a problem setting up ipf on a FreeBSD server and can't
> > figure out where I'm going wrong. I copied my ipf.rules file from
> > another server I have where ipf is working great. But after I
> > customized the rules to this server it is filling /var/log/messages
> > with lines like the following:
> >
> > Jan  4 15:15:21 pikeman ipmon[222]: 15:15:21.465822 2x em0 @0:33 b
> > 198.32.64.12,53 -> 65.19.150.68,62097 PR udp len 20
> > 314 IN Jan  4 15:15:21 pikeman ipmon[222]: 15:15:21.492578 em0 @0:33 b
> > 216.200.145.35,25 -> 65.19.150.68,57210 PR tcp len 20 60 -AS IN Jan  4
> > 15:15:21 pikeman ipmon[222]: 15:15:21.505821 em0 @0:33 b
> > 205.188.156.249,25 -> 65.19.150.68,57209 PR tcp len 20 48 -AS IN

<snip>

> The blocked packets fall through the chain of rules and end up in rule
> 0:33 (0 =3D incoming, 33 =3D block in log first quick on em0 all).
>=20
> > The lines scroll by faster than I can read them, if I tail the logfile.
> > The blocked packets in this case are coming from standard ports to
> > non-standard ports. Doing a reverse lookup on the ips, it would seem
> > that my server has initiated the transfer and the other servers are
> > simply replying. (I deduce that from the blocked ips because they belong
> > to hostnames that I would not expect to be flooding my server. Namely,
> > the first ip is for l.root-servers.net.)
>=20
> This seems to be an issue with the timeout of rule states.  What do you
> see if you run...
>=20
>     $ sysctl -a | fgrep ipf.
>=20
> it should be something like:
>=20
>     net.inet.ipf.fr_minttl: 4
>     net.inet.ipf.fr_chksrc: 0
>     net.inet.ipf.fr_defaultauthage: 600
>     net.inet.ipf.fr_authused: 0
>     net.inet.ipf.fr_authsize: 32
>     net.inet.ipf.ipf_hostmap_sz: 2047
>     net.inet.ipf.ipf_rdrrules_sz: 127
>     net.inet.ipf.ipf_natrules_sz: 127
>     net.inet.ipf.ipf_nattable_sz: 2047
>     net.inet.ipf.fr_statemax: 4013
>     net.inet.ipf.fr_statesize: 5737
>     net.inet.ipf.fr_running: 1
>     net.inet.ipf.fr_ipfrttl: 120
>     net.inet.ipf.fr_defnatage: 1200
>     net.inet.ipf.fr_icmptimeout: 120
>     net.inet.ipf.fr_udpacktimeout: 24
>     net.inet.ipf.fr_udptimeout: 240
>     net.inet.ipf.fr_tcpclosed: 120
>     net.inet.ipf.fr_tcptimeout: 480
>     net.inet.ipf.fr_tcplastack: 480
>     net.inet.ipf.fr_tcpclosewait: 480
>     net.inet.ipf.fr_tcphalfclosed: 14400
>     net.inet.ipf.fr_tcpidletimeout: 864000
>     net.inet.ipf.fr_active: 0
>     net.inet.ipf.fr_pass: 134217730
>     net.inet.ipf.fr_flags: 0

sysctl -a | fgrep ipf shows this on the problem server:

net.inet.ipf.fr_flags: 0
net.inet.ipf.fr_pass: 514
net.inet.ipf.fr_active: 0
net.inet.ipf.fr_tcpidletimeout: 864000
net.inet.ipf.fr_tcpclosewait: 480
net.inet.ipf.fr_tcplastack: 480
net.inet.ipf.fr_tcptimeout: 480
net.inet.ipf.fr_tcpclosed: 120
net.inet.ipf.fr_tcphalfclosed: 14400
net.inet.ipf.fr_udptimeout: 240
net.inet.ipf.fr_udpacktimeout: 24
net.inet.ipf.fr_icmptimeout: 120
net.inet.ipf.fr_icmpacktimeout: 12
net.inet.ipf.fr_defnatage: 1200
net.inet.ipf.fr_ipfrttl: 120
net.inet.ipf.ipl_unreach: 13
net.inet.ipf.fr_running: 1
net.inet.ipf.fr_authsize: 32
net.inet.ipf.fr_authused: 0
net.inet.ipf.fr_defaultauthage: 600
net.inet.ipf.fr_chksrc: 0
net.inet.ipf.ippr_ftp_pasvonly: 0
net.inet.ipf.fr_minttl: 3
net.inet.ipf.fr_minttllog: 1
net.link.ether.ipfw: 0

Incidentally, the server I copied my ipf.rules file from has an
identical output from sysctl -a | fgrep ipf.

Any more thoughts or tips?

Thanks,
Jacob

--=20
GnuPG Key: 1024D/16377135

Random .signature #19:
Computers are like air conditioners -- they stop working properly if you
open Windows

--pY3vCvL1qV+PayAL
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDxBPikpJ43hY3cTURAotSAJ9PUBUo83LQJya6dJXyerPy3I6rGACg0xr/
g/02zaXbrMCa1tVapNoxg5E=
=QmNF
-----END PGP SIGNATURE-----

--pY3vCvL1qV+PayAL--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060110200658.GE22508>