Anybody got some insight into this? I only see this once and a while and after running 'ipf -Fa -Fs -f ipf.conf' to reload the rules it doesn't show up for a while.
-----Original Message----- From: Olmsted, Brian Sent: March 10, 2005 11:37 AM To: 'Joseph Spenner' Cc: Olmsted, Brian; '[email protected]' Subject: RE: rules for NFS with NetApp and OOW packets I'm allowing in both directions for now but would like to trim it to just outbound (or perhaps the list can help me out with defining the proper rules for it) but this is what I have now. (below) I'm doing the 'keep state' and 'keep frags' on my rules but not doing the 'flags' option on my packets. Perhaps I should be changing to 'flags S' and adding a separate rule for tcp to do this as I likely can't do this for 'tcp/udp' rules if I remember correctly. --------------------------------- pass in quick on bge1 proto tcp/udp from 10.206.6.80/32 to 10.206.6.254/32 port = 111 keep state keep frags group 101 pass in quick on bge1 proto tcp/udp from 10.206.6.80/32 to 10.206.6.254/32 port = 2049 keep state keep frags group 101 pass in quick on bge1 proto tcp/udp from 10.206.6.80/32 to 10.206.6.254/32 port 4044 >< 4048 keep state keep frags group 101 pass in quick on bge1 proto udp from 10.206.6.80/32 to 10.206.6.254/32 port = 4049 keep state keep frags group 101 pass in quick on bge1 proto udp from 10.206.6.80/32 to 10.206.6.254/32 with frag group 101 --------------------------------- pass out quick on bge1 proto tcp/udp from 10.206.6.254/32 to 10.206.6.80/32 port = 111 keep state keep frags group 102 pass out quick on bge1 proto tcp/udp from 10.206.6.254/32 to 10.206.6.80/32 port = 2049 keep state keep frags group 102 pass out quick on bge1 proto tcp/udp from 10.206.6.254/32 to 10.206.6.80/32 port 4044 >< 4048 keep state keep frags group 102 pass out quick on bge1 proto udp from 10.206.6.254/32 to 10.206.6.80/32 port = 4049 keep state keep frags group 102 pass out quick on bge1 proto udp from 10.206.6.254/32 to 10.206.6.80/32 with frag group 102 --------------------------------- -----Original Message----- From: Joseph Spenner [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 09, 2005 5:05 PM To: Olmsted, Brian Subject: RE: rules for NFS with NetApp and OOW packets I won't post to the list, since I'm not too sure about this, but a couple things: 1) the obvious: are you doing 'keep state' ? 2) I believe there's a flag/option you can throw to tell it "how long to be stateful". Are you certain these blocked packets are 'lates' ? --- "Olmsted, Brian" <[EMAIL PROTECTED]> wrote: > What no bites? > > -----Original Message----- > From: Olmsted, Brian > Sent: Tuesday, March 08, 2005 2:30 PM > To: '[email protected]' > Cc: Olmsted, Brian > Subject: RE: rules for NFS with NetApp and OOW > packets > > > Y'all > > I have for the most part been able to successfully > to put filters in > place but still enable NFS connections to our NetApp > filer to remain. > > That is, it appears that the ports that NetApp has > assigned for the > various services are static (as I believe the > appliance is based on > NetBSD which I understand uses static ports). > > For example, on two different NetApp filers I'm > seeing the same port > assignments > -------------------------------------------------- > [EMAIL PROTECTED] rpcinfo -p idc-na1-svc > program vers proto port service > 100011 1 udp 4049 rquotad > 100021 4 tcp 4045 nlockmgr > 100021 3 tcp 4045 nlockmgr > 100021 1 tcp 4045 nlockmgr > 100021 4 udp 4045 nlockmgr > 100021 3 udp 4045 nlockmgr > 100021 1 udp 4045 nlockmgr > 100024 1 tcp 4047 status > 100024 1 udp 4047 status > 100005 3 tcp 4046 mountd > 100005 2 tcp 4046 mountd > 100005 1 tcp 4046 mountd > 100005 3 udp 4046 mountd > 100005 2 udp 4046 mountd > 100005 1 udp 4046 mountd > 100003 4 tcp 2049 nfs > 100003 3 tcp 2049 nfs > 100003 2 tcp 2049 nfs > 100003 3 udp 2049 nfs > 100003 2 udp 2049 nfs > 100000 2 tcp 111 rpcbind > 100000 2 udp 111 rpcbind > [EMAIL PROTECTED] > -------------------------------------------------- > > > On occasion I'm seeing packets like below popping up > in the logs; seems > like "late" packets past the window of the state > table possibly as they > are labeled as OOW (out of window). > > Am I understanding the nature of this OOW packet? > Seeing it on SSH, > SMTP connections too I believe. > > > Is there anything I can do to address these? Would > one of the tweaks > for /etc/system such as ipf.fr_tcpidletimeout or > ipf.fr_tcpclosed be > able to fix this and if so what value / which way > (up/down?)??? > -------------------------------------------------- > Feb 14 05:21:01 bw-sc1 ipmon[146]: [ID 702911 > local0.notice] > 05:21:01.490859 3x bge1 @101:101 p 10.207.6.5,2049 > -> 10.206.6.254,768 > PR tcp len 20 212 -AP IN OOW > Feb 14 05:23:01 bw-sc1 ipmon[146]: [ID 702911 > local0.notice] > 05:23:00.593585 3x bge1 @101:101 p 10.207.6.5,2049 > -> 10.206.6.254,768 > PR tcp len 20 212 -AP IN OOW > Feb 14 05:25:01 bw-sc1 ipmon[146]: [ID 702911 > local0.notice] > 05:25:00.683303 3x bge1 @101:101 p 10.207.6.5,2049 > -> 10.206.6.254,768 > PR tcp len 20 212 -AP IN OOW > Feb 14 05:27:01 bw-sc1 ipmon[146]: [ID 702911 > local0.notice] > 05:27:00.771147 3x bge1 @101:101 p 10.207.6.5,2049 > -> 10.206.6.254,768 > PR tcp len 20 212 -AP IN OOW > Feb 14 05:29:01 bw-sc1 ipmon[146]: [ID 702911 > local0.notice] > 05:29:00.859800 3x bge1 @101:101 p 10.207.6.5,2049 > -> 10.206.6.254,768 > PR tcp len 20 212 -AP IN OOW > Feb 14 05:30:01 bw-sc1 ipmon[146]: [ID 702911 > local0.notice] > 05:30:01.087643 13x bge1 @101:101 p 10.207.6.5,2049 > -> 10.206.6.254,768 > PR tcp len 20 156 -AP IN OOW > -------------------------------------------------- > > > Using: Solaris 8 on a V210/V240 architecture. IP > Filter 4.1.1 > > > > ------------------------------------------------------------------------ > Brian Olmsted, B.Sc > Sr. Technical Specialist Office: > 416-644-7406 > IP Edge Technology Fax: > 416-640-9303 > MTS Allstream Inc. Mobile: > 647-321-5556 > 438 University Avenue, 412D Pager: > [EMAIL PROTECTED] > Toronto, ON Canada M5G 2K8 Email: > [EMAIL PROTECTED] > ------------------------------------------------------------------------ > > __________________________________ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/
