ipf issues on busy solaris 9 server

Tue, 26 Jul 2005 15:14:48 -0700 

Hello,
we're still seeing networking problems with ipfilter on our residential isp dns servers, where the box becomes unreachable in any way for long periods of time, sometimes several hours. Running ipf -Fa -f ipf.conf sometimes works, but sometimes doesn't. After an hour, we give up and reboot. 


The issue seeems to be ipfilter-related, as when the pfil and ipf kernel 
modules are unloaded, we don't see these issues.



The issue doesn't seem to be state related, as the 'maximum' statistic 
is 0 while the server is unreachable (logged on over console).


Rules:
# let loopback run free
pass in quick on lo0
pass out quick on lo0

# Handle DNS specially, since there is so much traffic.
pass in quick proto udp from any to any port = 53
pass out quick proto udp from any port = 53 to any
# these used to be pass in quick proto tcp/udp from any to any port = 53
# Also have tested the rule as
# pass in quick proto udp from any to any keep state

# outbound connections
pass out quick proto tcp from any to any flags S keep state
pass out quick proto udp from any to any keep state
pass out quick proto icmp all keep state
pass out quick all
# allow ping
pass in quick proto icmp all keep state

pass in quick proto tcp from 24.64.63.212 to 24.64.63.195 port = 8023 
flags S ke

ep state


pass in quick proto tcp from a.b.c.d to a.b.c.e port = 443 flags S keep 
state
pass in quick proto tcp from a.b.c.d to a.b.c.f port = 443 flags S keep 
state


pass in quick proto tcp from a.b.c.0/24 to any port = 22 flags S keep state
pass in quick proto tcp from a.b.c.0/24 to any port = 53 flags S keep state
#
# virus traffic we're not interested in
#
block in quick proto tcp from any to any port = 80
block in quick proto tcp from any to any port = 445
block in quick proto tcp/udp from any to any port 134 >< 140

#
# log and deny everything else
#
block in log all
block out log all

# end of file
######################################################################

ipf: IP Filter: v4.1.8 (592)

Kernel: IP Filter: v4.1.8              
Running: yes

Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
Feature mask: 0x187

99% of the traffic these servers see is udp/53

Has anyone else seen similar behaviour on heavy traffic systems?
Are there any rules that could be tweaked/changed?

The server was just rebooted this morning, so a netstat -k and ipfstat 
-s won't be particularly useful.


Thanks in advance

--
Erik Huizing
Regional Services

(403)-781-4906 














    











					Reply via email to