Re: filter blocking packets

[Wes Zuber]

Make sure that the state table is not filling up.

do ipfstat -s
you should see some output that looks like this:

IP states added:
        23529 TCP
        272219 UDP
        62094 ICMP
        6373584 hits
        17441384 misses
        0 maximum
        0 no memory
        14 bkts in use
        178 logged
        715483 log failures
        14 active
        334303 expired
        23516 closed


If the Maximum field is greater then zero then you state table has  
filled up at one time or another. If you see the Maximum number  
increasing then this for sure is a problem.

--Wes

On Jun 3, 2005, at 10:59 AM, Erik Huizing wrote:

Hello,
   we've got a fairly busy DNS server that we see intermitent  
filtering problems on. When the issue happens, the box is  
unreachable over the network. In the logs, we see that the filter's  
blocked traffic from some of the ports where we've got allow rules  
for. The issue seems to be with ipfilter (or the rules), as the  
problems go away after running an ipf -Fa. Oddly enough, these  
issues don't seem to occur on other servers running similar rule sets.
Does anyone have any ideas/recommendations?

Thanks in advance,

uname:
SunOS ns5.so.cg 5.9 Generic_112233-11 sun4u sparc SUNW,Sun-Fire-V240
isainfo -vk
64-bit sparcv9 kernel modules
netstat -i
Name  Mtu  Net/Dest      Address        Ipkts  Ierrs Opkts  Oerrs  
Collis Queue
lo0   8232 loopback      localhost      135730 0     135730 0      
0      0    bge0  1500 ns5.so.cg     ns5            437077 0      
424487 0     0      0    netstat -s -P ip

IPv4    ipForwarding        =     2     ipDefaultTTL        =   255
       ipInReceives        =434119     ipInHdrErrors       =     0
       ipInAddrErrors      =     0     ipInCksumErrs       =     0
       ipForwDatagrams     =     0     ipForwProhibits     =     0
       ipInUnknownProtos   =     0     ipInDiscards        =     0
       ipInDelivers        =555814     ipOutRequests       =425908
       ipOutDiscards       =     0     ipOutNoRoutes       =    12
       ipReasmTimeout      =    60     ipReasmReqds        =     0
       ipReasmOKs          =     0     ipReasmFails        =     0
       ipReasmDuplicates   =     0     ipReasmPartDups     =     0
       ipFragOKs           =     0     ipFragFails         =     0
       ipFragCreates       =     0     ipRoutingDiscards   =     0
       tcpInErrs           =     1     udpNoPorts          = 11808
       udpInCksumErrs      =     6     udpInOverflows      =     0
       rawipInOverflows    =     0     ipsecInSucceeded    =     0
       ipsecInFailed       =     0     ipInIPv6            =     0
       ipOutIPv6           =     0     ipOutSwitchIPv6     =     2
ipf -V
ipf: IP Filter: v3.4.31 (496)
Kernel: IP Filter: v3.4.31             Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
dropped packets:        in 0    out 0
non-data packets:       in 1    out 1
no-data packets:        in 0    out 0
non-ip packets:         in 0    out 0
  bad packets:         in 0    out 0
copied messages:        in 2195 out 0
IPv6 packets:          in 0 out 0
input packets:         blocked 2009 passed 434869 nomatch 37298  
counted 0 short 0
output packets:         blocked 0 passed 427197 nomatch 35435  
counted 0 short 0
input packets logged:  blocked 1873 passed 0
output packets logged:  blocked 0 passed 0
packets logged:        input 1233 output 0
log failures:          input 0 output 0
fragment state(in):     kept 0  lost 0
fragment state(out):    kept 0  lost 0
packet state(in):       kept 53 lost 95
packet state(out):      kept 47408      lost 127133
ICMP replies:   0       TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  130898  (out):  114013
IN Pullups succeeded:   0       failed: 0
OUT Pullups succeeded:  1869    failed: 0
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
Packet log flags set: (0)
       none
ipfstat -i

pass in quick on lo0 from any to any
pass in quick proto icmp from any to any
pass in quick proto udp from any port 66 >< 69 to any port = 67  
keep state
pass in quick proto tcp from HOSTA/32 to any port = 22 flags S/ 
FSRPAU keep state keep frags
pass in quick proto tcp from NETA/23 to any port = 22 flags S/ 
FSRPAU keep state keep frags
pass in quick proto tcp from NETB/24 to any port = 22 flags S/ 
FSRPAU keep state keep frags
pass in quick proto udp from NETA/23 to any port = 161
pass in quick proto udp from NETB/24 to any port = 161
pass in quick proto tcp from NETA/23 to any port = 8400 flags S/ 
FSRPAU keep state keep frags
pass in quick proto tcp from NETB/24 to any port = 8400 flags S/ 
FSRPAU keep state keep frags
pass in quick proto tcp/udp from any to any port = domain
block in quick proto tcp from any to any port = 80
block in quick proto tcp from any to any port = 445
block in quick proto tcp/udp from any to any port 134 >< 140
block in log from any to any

ipfstat -o
pass out quick on lo0 from any to any
pass out quick proto tcp from any to any flags S/FSRPAU keep state
pass out quick proto tcp from any to any flags A/A
pass out quick from any to any keep state
block out log from any to any

no ipnat


--
Erik Huizing