As you wish!
nat04:/etc/inet# time snoop -c 1000 -o /dev/null -r net 192.168.0.0 Using device /dev/e1000g (promiscuous mode) 1000 1000 packets captured
real 0m26.690s
(Takes 26 seconds to see 1000 internal-addressed packets going out on the external interface. At the start, this "takes forever", after about 20 mins it takes 2 minutes, after 40 mins it takes 7 seconds. Don't know a better way to "measure" it.
At this time:
(As a note, before our ipf.conf was empty, but now we block outgoing port 1433 and port 135, since the Virii are scanning on these ports. Hence the large "blocked" count.)
nat04:/etc/inet# ipfstat
bad packets: in 0 out 0
input packets: blocked 1408228 passed 5024152 nomatch 11 counted 0
short 0
output packets: blocked 0 passed 5030177 nomatch 11 counted 0 short 0
input packets logged: blocked 1408228 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 1278993 (out): 1362445
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 5242 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 6448
Packet log flags set: (0)
none
nat04:/etc/inet# ipfstat -s IP states added: 0 TCP 0 UDP 0 ICMP 0 hits 0 misses 0 maximum 0 no memory 0 max bucket 0 active 0 expired 0 closed State logging enabled
State table bucket statistics:
0 in use
0.00% bucket usage
0 minimal length
0 maximal length
0.000 average lengthnat04:/etc/inet# ipnat -s mapped in 2650562 out 2329117 added 164204 expired 0 no memory 0 bad nat 555 inuse 2996 rules 6 wilds 0
When we just kick in ipfilter, the "inuse" is about 22,000. Then it slowly drops as more and more internal traffic goes on external. (Well, its not NATing after all).
I can't reach this box right now for the /etc/system tweaks. Don't think I set the one you suggested, but I did the FAQ suggested "set ipf:ipf_nattable_sz = 10009"
Hopefully we can try what you suggested, but with the outages they would probably prefer us to wait a bit. But I'm here for 2am maintenance, maybe they wouldn't notice :)
Lund
Darren Reed wrote:
Darren Reed wrote:
I think this problem is known about.
A-ha! We had another go in the afternoon after tweaking /etc/system, but there is nothing I can do to stop it from slowly dying.
I did see a load of pfil and ipfilter for Sol10 from John Wehle, perhaps I should upgrade and see how that goes.
I would be interested to know what the output of "ipnat -s" is when you start to see the leakage..
DArren
-- Jorgen Lundman | <[EMAIL PROTECTED]> Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home)
