Thank you for your response. Here's the results of some quick tests I did this morning with my Tru64 5.1A cluster:
1) OpenBSD 3.4 NFS problems -- simply activating the ipfilter module in the sysconfigtab causes hanging -- i.e. sysconfig -c ipfilter -- Even with ipf -D and ipf -Fa my OpenBSD 3.4 system, which has mounted filesystems over NFS from the cluster hangs and messages stating that these filesystems are not responding appear on the console. As soon as I do sysconfig -u ipfilter, the filesystems respond again. I have a non-cluster Tru64 5.1A system that was my original test-bed for ipfilter that does not give the OpenBSD system trouble. I also tried with an OpenBSD 3.6 system -- same problem, merely inserting the ipfilter module in the Tru64 TruCluster 5.1A system causes NFS filesystem hangs. 2) I removed all out rules in my ipf.conf file, leaving only pass out quick on tu0 from any to any pass out quick on tu1 from any to any pass out quick on tu2 from any to any This seemed to help my mail system and it looked like it was working, but I checked the logs for blocked packets and I see lots of things like: Dec 28 09:02:45 keck1 ipmon[1101515]: 08:58:32.932147 tu0 @0:51 b gatsby.ucl.ac.uk[128.40.213.241],smtp -> keck1.ucsf.edu[128.218.64.117],4837 PR tcp len 20 40 -AR IN Dec 28 09:02:45 keck1 ipmon[1101515]: 08:58:32.932147 tu0 @0:51 b gatsby.ucl.ac.uk[128.40.213.241],smtp -> keck1.ucsf.edu[128.218.64.117],4833 PR tcp len 20 48 -AS IN I want inbound SMTP traffic, so I've enabled access to port 25, but blocked other ports, but this looks strange. Also DNS traffic seems to be doing strange things: Dec 28 08:58:42 lehrer ipmon[690825]: 08:54:08.496793 tu0 @0:51 b ns1.rbl.bitnames.com[63.251.223.183],domain -> lehrer.ucsf.edu[128.218.64.95],1123 PR udp len 20 126 IN Dec 28 08:58:47 lehrer ipmon[690825]: 08:54:09.003627 tu0 @0:51 b ns1.Berkeley.EDU[128.32.206.9],domain -> lehrer.ucsf.edu[128.218.64.95],1123 PR udp len 20 116 IN Dec 28 08:58:52 lehrer ipmon[690825]: 08:54:09.151088 tu0 @0:51 b 80.168.26.140,domain -> lehrer.ucsf.edu[128.218.64.95],1123 PR udp len 20 63 IN It sort of looks like it is blocking return communcations from connections to smtp/DNS servers. The logs are almost all messages for those communcation types. Any ideas ? Thank you, very much. Dirk On Tue, 28 Dec 2004, Darren Reed wrote: > In the cluster model, is it possible that IP traffic is coming in > one host, being sent via the memory channel interconnect to the > other and replies then exiting it ? > > e.g. > > sender--<SYN>->[hostA]--(SYN via interconnect)-->[hostB]--<SYN+ACK>-->sender > > well, that's not a good diagram...but... > > IPFilter as yet isn't cluster aware, so at this point, you'd need to > rewrite your ruleset without "keep state" rules. > > Darren >
