Date: Tue, 10 Jan 2006 14:06:58 -0600 From: Jacob S <stormspotter@6Texans.net> To: freebsd-questions@freebsd.org Subject: Re: Ipf problem Message-ID: <20060110200658.GE22508@6texans.net> In-Reply-To: <20060106140514.GC2217@flame.pc> References: <20060106001744.6aa1367d@jacob.6texans.net> <20060106140514.GC2217@flame.pc>
next in thread | previous in thread | raw e-mail | index | archive | help
--pY3vCvL1qV+PayAL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 06, 2006 at 04:05:14PM +0200, Giorgos Keramidas wrote: > On 2006-01-06 00:17, Jacob S <stormspotter@6Texans.net> wrote: > > Hello list, > > > > I'm having a problem setting up ipf on a FreeBSD server and can't > > figure out where I'm going wrong. I copied my ipf.rules file from > > another server I have where ipf is working great. But after I > > customized the rules to this server it is filling /var/log/messages > > with lines like the following: > > > > Jan 4 15:15:21 pikeman ipmon[222]: 15:15:21.465822 2x em0 @0:33 b > > 198.32.64.12,53 -> 65.19.150.68,62097 PR udp len 20 > > 314 IN Jan 4 15:15:21 pikeman ipmon[222]: 15:15:21.492578 em0 @0:33 b > > 216.200.145.35,25 -> 65.19.150.68,57210 PR tcp len 20 60 -AS IN Jan 4 > > 15:15:21 pikeman ipmon[222]: 15:15:21.505821 em0 @0:33 b > > 205.188.156.249,25 -> 65.19.150.68,57209 PR tcp len 20 48 -AS IN <snip> > The blocked packets fall through the chain of rules and end up in rule > 0:33 (0 =3D incoming, 33 =3D block in log first quick on em0 all). >=20 > > The lines scroll by faster than I can read them, if I tail the logfile. > > The blocked packets in this case are coming from standard ports to > > non-standard ports. Doing a reverse lookup on the ips, it would seem > > that my server has initiated the transfer and the other servers are > > simply replying. (I deduce that from the blocked ips because they belong > > to hostnames that I would not expect to be flooding my server. Namely, > > the first ip is for l.root-servers.net.) >=20 > This seems to be an issue with the timeout of rule states. What do you > see if you run... >=20 > $ sysctl -a | fgrep ipf. >=20 > it should be something like: >=20 > net.inet.ipf.fr_minttl: 4 > net.inet.ipf.fr_chksrc: 0 > net.inet.ipf.fr_defaultauthage: 600 > net.inet.ipf.fr_authused: 0 > net.inet.ipf.fr_authsize: 32 > net.inet.ipf.ipf_hostmap_sz: 2047 > net.inet.ipf.ipf_rdrrules_sz: 127 > net.inet.ipf.ipf_natrules_sz: 127 > net.inet.ipf.ipf_nattable_sz: 2047 > net.inet.ipf.fr_statemax: 4013 > net.inet.ipf.fr_statesize: 5737 > net.inet.ipf.fr_running: 1 > net.inet.ipf.fr_ipfrttl: 120 > net.inet.ipf.fr_defnatage: 1200 > net.inet.ipf.fr_icmptimeout: 120 > net.inet.ipf.fr_udpacktimeout: 24 > net.inet.ipf.fr_udptimeout: 240 > net.inet.ipf.fr_tcpclosed: 120 > net.inet.ipf.fr_tcptimeout: 480 > net.inet.ipf.fr_tcplastack: 480 > net.inet.ipf.fr_tcpclosewait: 480 > net.inet.ipf.fr_tcphalfclosed: 14400 > net.inet.ipf.fr_tcpidletimeout: 864000 > net.inet.ipf.fr_active: 0 > net.inet.ipf.fr_pass: 134217730 > net.inet.ipf.fr_flags: 0 sysctl -a | fgrep ipf shows this on the problem server: net.inet.ipf.fr_flags: 0 net.inet.ipf.fr_pass: 514 net.inet.ipf.fr_active: 0 net.inet.ipf.fr_tcpidletimeout: 864000 net.inet.ipf.fr_tcpclosewait: 480 net.inet.ipf.fr_tcplastack: 480 net.inet.ipf.fr_tcptimeout: 480 net.inet.ipf.fr_tcpclosed: 120 net.inet.ipf.fr_tcphalfclosed: 14400 net.inet.ipf.fr_udptimeout: 240 net.inet.ipf.fr_udpacktimeout: 24 net.inet.ipf.fr_icmptimeout: 120 net.inet.ipf.fr_icmpacktimeout: 12 net.inet.ipf.fr_defnatage: 1200 net.inet.ipf.fr_ipfrttl: 120 net.inet.ipf.ipl_unreach: 13 net.inet.ipf.fr_running: 1 net.inet.ipf.fr_authsize: 32 net.inet.ipf.fr_authused: 0 net.inet.ipf.fr_defaultauthage: 600 net.inet.ipf.fr_chksrc: 0 net.inet.ipf.ippr_ftp_pasvonly: 0 net.inet.ipf.fr_minttl: 3 net.inet.ipf.fr_minttllog: 1 net.link.ether.ipfw: 0 Incidentally, the server I copied my ipf.rules file from has an identical output from sysctl -a | fgrep ipf. Any more thoughts or tips? Thanks, Jacob --=20 GnuPG Key: 1024D/16377135 Random .signature #19: Computers are like air conditioners -- they stop working properly if you open Windows --pY3vCvL1qV+PayAL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDxBPikpJ43hY3cTURAotSAJ9PUBUo83LQJya6dJXyerPy3I6rGACg0xr/ g/02zaXbrMCa1tVapNoxg5E= =QmNF -----END PGP SIGNATURE----- --pY3vCvL1qV+PayAL--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060110200658.GE22508>