Hello,
we've got a fairly busy DNS server that we see intermitent filtering
problems on. When the issue happens, the box is unreachable over the
network. In the logs, we see that the filter's blocked traffic from some
of the ports where we've got allow rules for. The issue seems to be with
ipfilter (or the rules), as the problems go away after running an ipf
-Fa. Oddly enough, these issues don't seem to occur on other servers
running similar rule sets.
Does anyone have any ideas/recommendations?
Thanks in advance,
uname:
SunOS ns5.so.cg 5.9 Generic_112233-11 sun4u sparc SUNW,Sun-Fire-V240
isainfo -vk
64-bit sparcv9 kernel modules
netstat -i
Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis
Queue
lo0 8232 loopback localhost 135730 0 135730 0 0
0
bge0 1500 ns5.so.cg ns5 437077 0 424487 0 0
0
netstat -s -P ip
IPv4 ipForwarding = 2 ipDefaultTTL = 255
ipInReceives =434119 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers =555814 ipOutRequests =425908
ipOutDiscards = 0 ipOutNoRoutes = 12
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 1 udpNoPorts = 11808
udpInCksumErrs = 6 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 2
ipf -V
ipf: IP Filter: v3.4.31 (496)
Kernel: IP Filter: v3.4.31
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
dropped packets: in 0 out 0
non-data packets: in 1 out 1
no-data packets: in 0 out 0
non-ip packets: in 0 out 0
bad packets: in 0 out 0
copied messages: in 2195 out 0
IPv6 packets: in 0 out 0
input packets: blocked 2009 passed 434869 nomatch 37298 counted
0 short 0
output packets: blocked 0 passed 427197 nomatch 35435 counted 0
short 0
input packets logged: blocked 1873 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 1233 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 53 lost 95
packet state(out): kept 47408 lost 127133
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 130898 (out): 114013
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 1869 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none
ipfstat -i
pass in quick on lo0 from any to any
pass in quick proto icmp from any to any
pass in quick proto udp from any port 66 >< 69 to any port = 67 keep state
pass in quick proto tcp from HOSTA/32 to any port = 22 flags S/FSRPAU
keep state keep frags
pass in quick proto tcp from NETA/23 to any port = 22 flags S/FSRPAU
keep state keep frags
pass in quick proto tcp from NETB/24 to any port = 22 flags S/FSRPAU
keep state keep frags
pass in quick proto udp from NETA/23 to any port = 161
pass in quick proto udp from NETB/24 to any port = 161
pass in quick proto tcp from NETA/23 to any port = 8400 flags S/FSRPAU
keep state keep frags
pass in quick proto tcp from NETB/24 to any port = 8400 flags S/FSRPAU
keep state keep frags
pass in quick proto tcp/udp from any to any port = domain
block in quick proto tcp from any to any port = 80
block in quick proto tcp from any to any port = 445
block in quick proto tcp/udp from any to any port 134 >< 140
block in log from any to any
ipfstat -o
pass out quick on lo0 from any to any
pass out quick proto tcp from any to any flags S/FSRPAU keep state
pass out quick proto tcp from any to any flags A/A
pass out quick from any to any keep state
block out log from any to any
no ipnat
--
Erik Huizing
