Date: Tue, 22 Apr 2003 15:11:33 +0200 From: Daniel Lang <dl@leo.org> To: Martin Stiemerling <Martin.Stiemerling@ccrle.nec.de> Cc: freebsd-net@freebsd.org Subject: Re: IPfilter changes? Message-ID: <20030422131133.GI49848@atrbg11.informatik.tu-muenchen.de> In-Reply-To: <20030422093422.GE49848@atrbg11.informatik.tu-muenchen.de> References: <20030417072027.GA38782@atrbg11.informatik.tu-muenchen.de> <3E9E6D34.5020100@ccrle.nec.de> <20030422083532.GB49848@atrbg11.informatik.tu-muenchen.de> <3EA508EB.5020906@ccrle.nec.de> <20030422093422.GE49848@atrbg11.informatik.tu-muenchen.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Again,
Daniel Lang wrote on Tue, Apr 22, 2003 at 11:34:22AM +0200:
[..]
> > NEW > pass out quick proto tcp from any to any flags S keep state keep frags
> Ok. I will try to change this rule and see, if it helps.
> YES. If I put this rule in front of the rule above, I immediately
> get a connection.
>
> What does that mean? The original rule of mine should be more general,
> i.e. include the situation with the SYN flag set. But it doesn't?
>
> Using this rule is a better workaround than to allow all hosts
> explicitly, but it still doesn't help me with UDP I guess.
Updated situation. It ceased working! I just checked again
without changing everything and the rule still in place.
But it no longer works, the packets are again blocked, as I can
see in ipfilters log.
Now I get the impression, that there is maybe a limit for the state
tables for each "keep state" rule, and if that is hit, no more states
can be added.
I'll make a few tests...
Ok, I've added another such rule, similar but with a specific source
ip instead of any, to get it added.
It worked for a few times, then suddenly the packets are beeing blocked
again, just after a few hits. Heres the ipfstat -hoi output:
[..]
48 pass out quick proto tcp from 131.159.72.12/32 to any flags S/FSRPAU keep state keep frags
2706 pass out quick proto tcp from any to any flags S/FSRPAU keep state keep frags
1789457 pass out quick proto tcp/udp from any to any keep state keep frags
[..]
Other things I could find out:
If the ruleset has changed and is reloaded
(ipf -Fa -f /file/with/rules) it works again for a while.
Even without the "flags S" rule but with the original
tcp/udp rule.
Flushing the state stable (small): ipf -Fs
did help, but not always. I've issued this a couple
of times, and suddenly it worked again.
Flushing all states: ipf -FS helped a lot. It works much longer
than just flushing incomplete states.
However, ipfstat -s always shows:
[..]
0 no memory
[..]
So it's not like the states don't get added because of that....
Well, a crontab entry with ipf -FS every hour would not be
a very clean solution. Any more hints, how to debug this further
appreciated.
Thanks,
Daniel
--
IRCnet: Mr-Spock - Work is for people, who don't surf -
Daniel Lang * dl@leo.org * +49 89 289 18532 * http://www.leo.org/~dl/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030422131133.GI49848>