state problems still

Mon, 11 Jul 2005 10:25:20 -0700 

Hello,
we've just upgraded to v4.1.8 (592), and are still seeing what seem to be state table related issues. This is an ISP DNS server, and behaviour seems to be traffic-related. What we're seeing is dns traffic being blocked (but not logged this time as we saw with 3.4.31. 


Also, I was wondering if 50% usage of the state table was high, and if 
we'd want to recompile with more buckets.


   # ipfstat -s
IP states added:
       3155 TCP
       623165 UDP
       883 ICMP
       5119011 hits
       2533514 misses
       107994 maximum
       0 no memory
       647 max bucket
       107994 maximum
       0 no memory
       2867 bkts in use
       6637 active
       0 expired
       775 closed
State logging enabled

State table bucket statistics:
       2867 in use
       49.97% bucket usage
       0 minimal length
       12 maximal length
       2.315 average length


I'm also wondering if the state table might be filling up because of 
incorrect state handling on our rules:

######################################################################
# Initial ipf.conf
# generated during jumpstart at Thu Sep 16 16:22:44 MDT 2004
#
# To reload the filters, run ipf -Fa -f /etc/opt/ipf/ipf.conf

# let loopback run free
pass in quick on lo0
pass out quick on lo0

# outbound connections
pass out quick all keep state
# allow ping
pass in quick proto icmp all keep state

######################################################################
# Custom section for ns10.no ns
# peer pair ns10.no (A.B.C.D) <-> ns11.no (A.C.D.E)
# DNS intercommunication between ns10.no and ns11.no
pass in quick proto tcp from A.B.C.E to A.B.C.D port = 8023
######################################################################
#
# allow ssh (22/tcp)
#

pass in quick proto tcp from A.B.C.F to any port = 22 flags S keep state 
keep frags
pass in quick proto tcp from A.B.C.0/23 to any port = 22 flags S keep 
state keep frags

#
# allow snmp (161/udp)
#
pass in quick proto udp from A.B.C.0/23 to any port = 161
#
# allow dns (53/tcp/udp)
#
pass in quick proto tcp/udp from any to any port = 53
#
# allow https (443/tcp)
#

pass in quick proto tcp from A.B.C.0/23 to any port = 8443 flags S keep 
state keep frags

#
# virus traffic we're not interested in
#
block in quick proto tcp from any to any port = 80
block in quick proto tcp from any to any port = 445
block in quick proto tcp/udp from any to any port 134 >< 140
#
# log and deny everything else
#
block in log all
block out log all
# end of file
######################################################################

Thanks in advance.

--
Erik Huizing
Regional Services

(403)-781-4906 






















					Reply via email to