From owner-freebsd-questions@FreeBSD.ORG Tue Jan 10 20:07:06 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE25616A41F for ; Tue, 10 Jan 2006 20:07:06 +0000 (GMT) (envelope-from jacob@6texans.net) Received: from cavalry.6texans.net (sixjs164.august.net [216.87.134.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA58043D46 for ; Tue, 10 Jan 2006 20:07:03 +0000 (GMT) (envelope-from jacob@6texans.net) Received: from localhost (localhost.localdomain [127.0.0.1]) by cavalry.6texans.net (Postfix) with ESMTP id 747E356E14 for ; Tue, 10 Jan 2006 14:07:00 -0600 (CST) Received: from cavalry.6texans.net ([127.0.0.1]) by localhost (cavalry [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11518-10 for ; Tue, 10 Jan 2006 14:06:58 -0600 (CST) Received: from jacob.6texans.net (stonewall.6texans.net [216.87.134.162]) by cavalry.6texans.net (Postfix) with ESMTP id 6FE5B56D56 for ; Tue, 10 Jan 2006 14:06:58 -0600 (CST) Received: from jacob by jacob.6texans.net with local (Exim 4.60) (envelope-from ) id 1EwPli-0005Vm-34 for freebsd-questions@freebsd.org; Tue, 10 Jan 2006 14:06:58 -0600 Date: Tue, 10 Jan 2006 14:06:58 -0600 From: Jacob S To: freebsd-questions@freebsd.org Message-ID: <20060110200658.GE22508@6texans.net> References: <20060106001744.6aa1367d@jacob.6texans.net> <20060106140514.GC2217@flame.pc> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pY3vCvL1qV+PayAL" Content-Disposition: inline In-Reply-To: <20060106140514.GC2217@flame.pc> X-Mailer: Mutt http://www.mutt.org/ X-Editor: Vim http://www.vim.org/ User-Agent: Mutt/1.5.11 X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at 6texans.net Subject: Re: Ipf problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2006 20:07:06 -0000 --pY3vCvL1qV+PayAL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 06, 2006 at 04:05:14PM +0200, Giorgos Keramidas wrote: > On 2006-01-06 00:17, Jacob S wrote: > > Hello list, > > > > I'm having a problem setting up ipf on a FreeBSD server and can't > > figure out where I'm going wrong. I copied my ipf.rules file from > > another server I have where ipf is working great. But after I > > customized the rules to this server it is filling /var/log/messages > > with lines like the following: > > > > Jan 4 15:15:21 pikeman ipmon[222]: 15:15:21.465822 2x em0 @0:33 b > > 198.32.64.12,53 -> 65.19.150.68,62097 PR udp len 20 > > 314 IN Jan 4 15:15:21 pikeman ipmon[222]: 15:15:21.492578 em0 @0:33 b > > 216.200.145.35,25 -> 65.19.150.68,57210 PR tcp len 20 60 -AS IN Jan 4 > > 15:15:21 pikeman ipmon[222]: 15:15:21.505821 em0 @0:33 b > > 205.188.156.249,25 -> 65.19.150.68,57209 PR tcp len 20 48 -AS IN > The blocked packets fall through the chain of rules and end up in rule > 0:33 (0 =3D incoming, 33 =3D block in log first quick on em0 all). >=20 > > The lines scroll by faster than I can read them, if I tail the logfile. > > The blocked packets in this case are coming from standard ports to > > non-standard ports. Doing a reverse lookup on the ips, it would seem > > that my server has initiated the transfer and the other servers are > > simply replying. (I deduce that from the blocked ips because they belong > > to hostnames that I would not expect to be flooding my server. Namely, > > the first ip is for l.root-servers.net.) >=20 > This seems to be an issue with the timeout of rule states. What do you > see if you run... >=20 > $ sysctl -a | fgrep ipf. >=20 > it should be something like: >=20 > net.inet.ipf.fr_minttl: 4 > net.inet.ipf.fr_chksrc: 0 > net.inet.ipf.fr_defaultauthage: 600 > net.inet.ipf.fr_authused: 0 > net.inet.ipf.fr_authsize: 32 > net.inet.ipf.ipf_hostmap_sz: 2047 > net.inet.ipf.ipf_rdrrules_sz: 127 > net.inet.ipf.ipf_natrules_sz: 127 > net.inet.ipf.ipf_nattable_sz: 2047 > net.inet.ipf.fr_statemax: 4013 > net.inet.ipf.fr_statesize: 5737 > net.inet.ipf.fr_running: 1 > net.inet.ipf.fr_ipfrttl: 120 > net.inet.ipf.fr_defnatage: 1200 > net.inet.ipf.fr_icmptimeout: 120 > net.inet.ipf.fr_udpacktimeout: 24 > net.inet.ipf.fr_udptimeout: 240 > net.inet.ipf.fr_tcpclosed: 120 > net.inet.ipf.fr_tcptimeout: 480 > net.inet.ipf.fr_tcplastack: 480 > net.inet.ipf.fr_tcpclosewait: 480 > net.inet.ipf.fr_tcphalfclosed: 14400 > net.inet.ipf.fr_tcpidletimeout: 864000 > net.inet.ipf.fr_active: 0 > net.inet.ipf.fr_pass: 134217730 > net.inet.ipf.fr_flags: 0 sysctl -a | fgrep ipf shows this on the problem server: net.inet.ipf.fr_flags: 0 net.inet.ipf.fr_pass: 514 net.inet.ipf.fr_active: 0 net.inet.ipf.fr_tcpidletimeout: 864000 net.inet.ipf.fr_tcpclosewait: 480 net.inet.ipf.fr_tcplastack: 480 net.inet.ipf.fr_tcptimeout: 480 net.inet.ipf.fr_tcpclosed: 120 net.inet.ipf.fr_tcphalfclosed: 14400 net.inet.ipf.fr_udptimeout: 240 net.inet.ipf.fr_udpacktimeout: 24 net.inet.ipf.fr_icmptimeout: 120 net.inet.ipf.fr_icmpacktimeout: 12 net.inet.ipf.fr_defnatage: 1200 net.inet.ipf.fr_ipfrttl: 120 net.inet.ipf.ipl_unreach: 13 net.inet.ipf.fr_running: 1 net.inet.ipf.fr_authsize: 32 net.inet.ipf.fr_authused: 0 net.inet.ipf.fr_defaultauthage: 600 net.inet.ipf.fr_chksrc: 0 net.inet.ipf.ippr_ftp_pasvonly: 0 net.inet.ipf.fr_minttl: 3 net.inet.ipf.fr_minttllog: 1 net.link.ether.ipfw: 0 Incidentally, the server I copied my ipf.rules file from has an identical output from sysctl -a | fgrep ipf. Any more thoughts or tips? Thanks, Jacob --=20 GnuPG Key: 1024D/16377135 Random .signature #19: Computers are like air conditioners -- they stop working properly if you open Windows --pY3vCvL1qV+PayAL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDxBPikpJ43hY3cTURAotSAJ9PUBUo83LQJya6dJXyerPy3I6rGACg0xr/ g/02zaXbrMCa1tVapNoxg5E= =QmNF -----END PGP SIGNATURE----- --pY3vCvL1qV+PayAL--