Here is the ipfstat output as requested. What does this really tell me?
# ipfstat -ionh
5251 @1 log level local7.debug out on qfe0 all
0 @2 log level local7.debug out on qfe2 all
1541 @3 log level local7.debug out on hme0 all
1541 @4 block out on hme0 all
0 @5 block out log quick on hme0 from any to 192.168.0.0/16
0 @6 block out log quick on hme0 from any to 172.16.0.0/12
0 @7 block out log quick on hme0 from any to 10.0.0.0/8
0 @8 block out log quick on hme0 from any to 127.0.0.0/8
0 @9 block out log quick on hme0 from any to 0.0.0.0/8
0 @10 block out log quick on hme0 from any to 169.254.0.0/16
0 @11 block out log quick on hme0 from any to 192.0.2.0/24
0 @12 block out log quick on hme0 from any to 204.152.64.0/23
1541 @13 block out log quick on hme0 from any to 224.0.0.0/3
5264 @14 pass out quick on qfe0 all
0 @15 pass out quick on qfe2 all
0 @16 pass out quick on lo0 all
0 @17 pass out quick on hme0 proto tcp from 172.16.0.0/16 port = smtp to
any port = smtp keep state
0 @18 pass out quick on hme0 proto tcp from 172.16.0.0/16 port = domain
to any port = domain keep state
0 @19 pass out quick on hme0 proto udp from 172.16.0.0/16 port = domain
to any port = domain
0 @20 pass out quick on hme0 proto tcp/udp from 192.168.200.0/24 port =
ntp to any port = ntp
0 @21 pass out quick on hme0 proto tcp from 172.16.0.0/12 to any keep state
0 @22 pass out quick on hme0 proto udp from 172.16.0.0/12 to any
0 @23 pass out quick on hme0 proto icmp from 172.16.0.0/12 to any keep state
7004 @1 log level local7.debug in on qfe0 all
0 @2 log level local7.debug in on qfe2 all
0 @3 log level local7.debug in on hme0 all
0 @4 block in on hme0 all
0 @5 block in log quick on hme0 from 192.168.0.0/16 to any
0 @6 block in log quick on hme0 from 172.16.0.0/12 to any
0 @7 block in log quick on hme0 from 10.0.0.0/8 to any
0 @8 block in log quick on hme0 from 127.0.0.0/8 to any
0 @9 block in log quick on hme0 from 0.0.0.0/8 to any
0 @10 block in log quick on hme0 from 169.254.0.0/16 to any
0 @11 block in log quick on hme0 from 192.0.2.0/24 to any
0 @12 block in log quick on hme0 from 204.152.64.0/23 to any
0 @13 block in log quick on hme0 from 224.0.0.0/3 to any
0 @14 block in quick on hme0 proto tcp from any port = 113 to any
0 @15 block in log quick from any to any with short
0 @16 block in log quick on hme0 from any to 68.16.185.128/27
0 @17 block in log quick on hme0 proto icmp from any to any
0 @18 block in log quick on hme0 proto tcp from any to any port = telnet
0 @19 block in log quick on hme0 proto tcp/udp from any to any port = sunrpc
0 @20 block in log quick on hme0 proto tcp from any to any port = login
0 @21 block in log quick on hme0 proto tcp/udp from any to any port = 514
0 @22 block in log quick on hme0 proto tcp from any to any port = printer
0 @23 block in log quick on hme0 proto tcp from any to any port = 1214
0 @24 block in log quick on hme0 proto tcp/udp from any to any port = nfsd
0 @25 block in log quick on hme0 proto tcp from any to any port = 4661
0 @26 block in log quick on hme0 proto tcp from any to any port = 4662
0 @27 block in log quick on hme0 proto udp from any to any port = 4665
0 @28 block in log quick on hme0 proto tcp from any to any port = 5190
0 @29 block in log quick on hme0 proto udp from any to any port = 4000
0 @30 block in log quick on hme0 proto tcp from any to any port = 6000
0 @31 block in log quick on hme0 proto udp from any to any port = 8998
7038 @32 pass in quick on qfe0 from any to any
0 @33 pass in quick on qfe2 from any to any
0 @34 pass in quick on lo0 all
0 @35 pass in quick on hme0 proto tcp from any port = smtp to
68.16.185.134/32 port = smtp keep state
0 @36 pass in quick on hme0 proto udp from any port = domain to
68.16.185.134/32 port = domain keep state
0 @37 pass in quick on hme0 proto udp from any port = domain to
68.16.185.134/32 port = domain
0 @38 pass in quick on hme0 proto tcp from any port = ntp to
68.16.185.134/32 port = ntp keep state
0 @39 pass in quick on hme0 proto udp from any port = 443 to
68.16.185.135/32 port = 443 keep state
0 @40 pass in quick on hme0 proto udp from any port = 22 to
68.16.185.135/32 port = 22 keep state
0 @41 pass in quick on hme0 proto tcp from any port = ssh to
68.16.185.158/32 port = ssh keep state
0 @42 pass in quick on hme0 proto tcp from any port = 80 to
68.16.185.158/32 port = 80 keep state
0 @43 pass in quick on hme0 proto tcp from any port = 443 to
68.16.185.158/32 port = 443 keep state
0 @44 pass in quick on hme0 proto tcp from any port = 12345 to
68.16.185.158/32 port = 12345 keep state
0 @45 pass in quick on hme0 proto tcp from any port = ssh to
68.16.185.154/32 port = ssh keep state
0 @46 pass in quick on hme0 proto tcp from any port = 80 to
68.16.185.154/32 port = 80 keep state
0 @47 pass in quick on hme0 proto tcp from any port = 443 to
68.16.185.154/32 port = 443 keep state
0 @48 pass in quick on hme0 proto tcp from any port = 12345 to
68.16.185.154/32 port = 12345 keep state
0 @49 pass in quick on hme0 proto tcp from any port = ssh to
68.16.185.136/32 port = ssh keep state
0 @50 pass in quick on hme0 proto tcp from any port = 80 to
68.16.185.136/32 port = 80 keep state
0 @51 pass in quick on hme0 proto tcp from any port = 443 to
68.16.185.136/32 port = 443 keep state
0 @52 pass in quick on hme0 proto tcp from any port = ssh to
68.16.185.140/32 port = ssh keep state
0 @53 pass in quick on hme0 proto tcp from any port = 80 to
68.16.185.140/32 port = 80 keep state
0 @54 pass in quick on hme0 proto tcp from any port = 443 to
68.16.185.140/32 port = 443 keep state
0 @55 pass in quick on hme0 proto tcp from any port = ssh to
68.16.185.141/32 port = ssh keep state
0 @56 pass in quick on hme0 proto tcp from any port = 80 to
68.16.185.141/32 port = 80 keep state
0 @57 pass in quick on hme0 proto tcp from any port = 443 to
68.16.185.141/32 port = 443 keep state
0 @58 pass in quick on hme0 proto tcp from any port = ssh to
68.16.185.142/32 port = ssh keep state
0 @59 pass in quick on hme0 proto tcp from any port = 80 to
68.16.185.142/32 port = 80 keep state
0 @60 pass in quick on hme0 proto tcp from any port = 443 to
68.16.185.142/32 port = 443 keep state
0 @61 pass in quick on hme0 proto tcp from any port = ssh to
68.16.185.143/32 port = ssh keep state
0 @62 pass in quick on hme0 proto tcp from any port = 80 to
68.16.185.143/32 port = 80 keep state
0 @63 pass in quick on hme0 proto tcp from any port = 443 to
68.16.185.143/32 port = 443 keep state
0 @64 pass in quick on hme0 proto tcp from any port = ssh to
68.16.185.144/32 port = ssh keep state
0 @65 pass in quick on hme0 proto tcp from any port = 80 to
68.16.185.144/32 port = 80 keep state
0 @66 pass in quick on hme0 proto tcp from any port = 443 to
68.16.185.144/32 port = 443 keep state
0 @67 pass in quick on hme0 proto tcp from any port = ssh to
68.16.185.145/32 port = ssh keep state
0 @68 pass in quick on hme0 proto tcp from any port = 80 to
68.16.185.145/32 port = 80 keep state
0 @69 pass in quick on hme0 proto tcp from any port = 443 to
68.16.185.145/32 port = 443 keep state
0 @70 pass in quick on hme0 proto tcp from any port = ssh to
68.16.185.146/32 port = ssh keep state
0 @71 pass in quick on hme0 proto tcp from any port = 80 to
68.16.185.146/32 port = 80 keep state
0 @72 pass in quick on hme0 proto tcp from any port = 443 to
68.16.185.146/32 port = 443 keep state
0 @73 pass in quick on hme0 proto tcp from any port = ssh to
68.16.185.147/32 port = ssh keep state
0 @74 pass in quick on hme0 proto tcp from any port = 80 to
68.16.185.147/32 port = 80 keep state
0 @75 pass in quick on hme0 proto tcp from any port = 443 to
68.16.185.147/32 port = 443 keep state
0 @76 pass in quick on hme0 proto tcp from any port = ssh to
68.16.185.148/32 port = ssh keep state
0 @77 pass in quick on hme0 proto tcp from any port = 80 to
68.16.185.148/32 port = 80 keep state
0 @78 pass in quick on hme0 proto tcp from any port = 443 to
68.16.185.148/32 port = 443 keep state
Stuart Remphrey wrote:
Oops. Had meant to write "ipfstat", as in "ipfstat -ionh" or similar;
had been looking at some iostat output myself just before writing
the previous reply!
Rgds, Stuart.
Stuart Remphrey
RMIT ITS Infrastructure Services - Unix Systems
Phone (03) 992 55 070 (or extension 55070)
mdpeters <[EMAIL PROTECTED]> 22/01/07 11:45 PM >>>
This command on Solaris reports disk activity only. I posted to the
group yesterday some more information.
I appreciate your help.
Stuart Remphrey wrote:
My suggestion was just to add the "n" and "h" options
to your existing "iostat" command when dumping the
rules list which you'd attached to your original email.
However from later emails the pfil module isn't loaded yet,
so while there's a rule table in the kernel, nothing's using it.
On 19-Jan-07 at 9:29 am, in message
<[EMAIL PROTECTED]>,
mdpeters <[EMAIL PROTECTED]> wrote:
Would I place "iostat -ionh" after each rule or just on certain
ones?
Stuart Remphrey wrote:
Hi,
I see someone's mentioned collecting the log output, you may also
find "iostat -ionh" helpful. The "h" gives the hit rate per rule
that
fired,
the blocking ones will tell you what's stopping the packets.
Note however that the line numbering ("n" option) is the entry
number
in the IN or OUT filter table (two separate counts), not the lines
in your source file, so you'll have to match the rule text against
your input file.
HTH, rgds, Stuart.
On 17-Jan-07 at 1:51 pm, in message
<[EMAIL PROTECTED]>,
mdpeters <[EMAIL PROTECTED]> wrote:
I am new to IPFilter. My experience comes from other firewalls. I
have
what seems like a proper build from following all sorts of example
documents out there. My problem is that nothing seems to pass
through
the system. I am not sure if it is a NAT issue or rule
misconfiguration
on my part. If someone could critique an excerpt of what I have and
clue
me into what I am doing wrong I would certainly appreciate it.
I cut down the rules for simplicity sake. Everything follows:
# uname -a
SunOS Osiris 5.10 Generic_118833-17 sun4u sparc
SUNW,UltraSPARC-IIi-cEngine
# isainfo -vk
64-bit sparcv9 kernel modules
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL>
mtu
8232 index 1
inet 127.0.0.1 netmask ff000000
hme0: flags=1100803<UP,BROADCAST,MULTICAST,ROUTER,IPv4> mtu 1500
index 2
inet 68.16.185.30 netmask fffffff0 broadcast 68.16.185.43
ether 8:0:20:f9:c5:44
qfe0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu
1500
index 3
inet 192.168.200.108 netmask ffffff00 broadcast
192.168.200.255
ether 8:0:20:f9:c5:44
qfe2: flags=1100803<UP,BROADCAST,MULTICAST,ROUTER,IPv4> mtu 1500
index 4
inet 192.168.201.8 netmask ffffff00 broadcast
192.168.201.255
ether 8:0:20:f9:c5:44
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL>
mtu
8252 index 1
inet6 ::1/128
hme0: flags=2100801<UP,MULTICAST,ROUTER,IPv6> mtu 1500 index 2
inet6 fe80::a00:20ff:fef9:c544/10
ether 8:0:20:f9:c5:44
qfe0: flags=2100841<UP,RUNNING,MULTICAST,ROUTER,IPv6> mtu 1500
index
3
inet6 fe80::a00:20ff:fef9:c544/10
ether 8:0:20:f9:c5:44
qfe2: flags=2100801<UP,MULTICAST,ROUTER,IPv6> mtu 1500 index 4
inet6 fe80::a00:20ff:fef9:c544/10
ether 8:0:20:f9:c5:44
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use
Interface
-------------------- -------------------- ----- ----- ------
---------
68.16.185.28 68.16.185.30 U 1 0 hme0
192.168.200.0 192.168.200.108 U 1 618 qfe0
192.168.201.0 192.168.201.8 U 1 0 qfe2
192.168.202.0 192.168.200.59 UG 1 0
192.168.204.0 192.168.201.169 UG 1 0
172.16.0.0 192.168.200.59 UG 1 7
224.0.0.0 68.16.185.130 U 1 0 hme0
default 68.16.185.128 UG 1 0
127.0.0.1 127.0.0.1 UH 4 77 lo0
Routing Table: IPv6
Destination/Mask Gateway Flags Ref
Use If
--------------------------- --------------------------- ----- ---
------
-----
fe80::/10 fe80::a00:20ff:fef9:c544 U 1
0
hme0
fe80::/10 fe80::a00:20ff:fef9:c544 U 1
0
qfe0
fe80::/10 fe80::a00:20ff:fef9:c544 U 1
0
qfe2
ff00::/8 fe80::a00:20ff:fef9:c544 U 1
0
hme0
::1 ::1 UH 1
14 lo0
# netstat -i
Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs
Collis
Queue
lo0 8232 loopback localhost 209 0 209 0 0
0
hme0 1500 Osiris Osiris 0 0 0 0 0
0
qfe0 1500 192.168.200.0 192.168.200.108 265242 0 9572 0 0
0
qfe2 1500 192.168.201.0 192.168.201.8 0 0 0 0 0
0
Name Mtu Net/Dest Address
Ipkts
Ierrs Opkts Oerrs Collis
lo0 8252 localhost localhost
209
0 209 0 0
hme0 1500 fe80::a00:20ff:fef9:c544/10 fe80::a00:20ff:fef9:c544
0
0 0 0 0
qfe0 1500 fe80::a00:20ff:fef9:c544/10 fe80::a00:20ff:fef9:c544
265252 0 9583 0 0
qfe2 1500 fe80::a00:20ff:fef9:c544/10 fe80::a00:20ff:fef9:c544
0
0 0 0 0
# netstat -s -P ip
IPv4 ipForwarding = 1 ipDefaultTTL = 255
ipInReceives = 6594 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers = 6679 ipOutRequests = 13135
ipOutDiscards = 0 ipOutNoRoutes = 6
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 0 udpNoPorts = 17
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 0
# ipf -V
ipf: IP Filter: v4.0.3 (592)
Kernel: IP Filter: v4.0.3
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 18
input packets: blocked 0 passed 6618 nomatch 0 counted 0
short 0
output packets: blocked 6508 passed 6677 nomatch 9 counted
0
short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 6508 passed 0
packets logged: input 6618 output 13167
log failures: input 0 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 0 (out): 9
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 32 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 834285
Packet log flags set: (0)
none
# ipfstat -io
log level local7.debug out on qfe0 all
log level local7.debug out on qfe2 all
log level local7.debug out on hme0 all
block out log quick on hme0 from any to 192.168.0.0/16
block out log quick on hme0 from any to 172.16.0.0/12
block out log quick on hme0 from any to 10.0.0.0/8
block out log quick on hme0 from any to 127.0.0.0/8
block out log quick on hme0 from any to 0.0.0.0/8
block out log quick on hme0 from any to 169.254.0.0/16
block out log quick on hme0 from any to 192.0.2.0/24
block out log quick on hme0 from any to 204.152.64.0/23
block out log quick on hme0 from any to 224.0.0.0/3
pass out quick on qfe0 all
pass out quick on qfe2 all
pass out quick on lo0 all
pass out quick on hme0 proto tcp from 172.16.0.0/16 port = smtp to
any
port = smtp keep state
pass out quick on hme0 proto tcp from 172.16.0.0/16 port = domain
to
any
port = domain keep state
pass out quick on hme0 proto udp from 172.16.0.0/16 port = domain
to
any
port = domain
pass out quick on hme0 proto tcp/udp from 192.168.200.0/24 port =
ntp
to
any port = ntp
pass out quick on hme0 proto tcp from 172.16.0.0/12 to any keep
state
pass out quick on hme0 proto udp from 172.16.0.0/12 to any
pass out quick on hme0 proto icmp from 172.16.0.0/12 to any keep
state
log level local7.debug in on qfe0 all
log level local7.debug in on qfe2 all
log level local7.debug in on hme0 all
block in all
block in log quick on hme0 from 192.168.0.0/16 to any
block in log quick on hme0 from 172.16.0.0/12 to any
block in log quick on hme0 from 10.0.0.0/8 to any
block in log quick on hme0 from 127.0.0.0/8 to any
block in log quick on hme0 from 0.0.0.0/8 to any
block in log quick on hme0 from 169.254.0.0/16 to any
block in log quick on hme0 from 192.0.2.0/24 to any
block in log quick on hme0 from 204.152.64.0/23 to any
block in log quick on hme0 from 224.0.0.0/3 to any
block in quick on hme0 proto tcp from any port = 113 to any
block in log quick from any to any with short
block in log quick on hme0 from any to 68.16.185.28/27
block in log quick on hme0 proto icmp from any to any
block in log quick on hme0 proto tcp from any to any port = telnet
block in log quick on hme0 proto tcp/udp from any to any port =
sunrpc
block in log quick on hme0 proto tcp from any to any port = login
block in log quick on hme0 proto tcp/udp from any to any port = 514
block in log quick on hme0 proto tcp from any to any port = printer
block in log quick on hme0 proto tcp from any to any port = 1214
block in log quick on hme0 proto tcp/udp from any to any port =
nfsd
block in log quick on hme0 proto tcp from any to any port = 4661
block in log quick on hme0 proto tcp from any to any port = 4662
block in log quick on hme0 proto udp from any to any port = 4665
block in log quick on hme0 proto tcp from any to any port = 5190
block in log quick on hme0 proto udp from any to any port = 4000
block in log quick on hme0 proto tcp from any to any port = 6000
block in log quick on hme0 proto udp from any to any port = 8998
pass in quick on qfe0 from any to any
pass in quick on qfe2 from any to any
pass in quick on lo0 all
pass in quick on hme0 proto tcp from any port = smtp to
68.16.185.34/32
port = smtp keep state
pass in quick on hme0 proto udp from any port = domain to
68.16.185.34/32 port = domain keep state
pass in quick on hme0 proto udp from any port = domain to
68.16.185.34/32 port = domain
pass in quick on hme0 proto tcp from any port = ntp to
68.16.185.34/32
port = ntp keep state
# ipnat -slv
mapped in 0 out 0
added 0 expired 0
no memory 0 bad nat 0
inuse 0
rules 44
wilds 0
table ffffffff7ffffba0 list 30002026340
List of active MAP/Redirect filters:
map hme0 192.168.200.40/32 -> 68.16.185.33/32
map hme0 68.16.185.133/32 -> 192.168.200.40/32
map hme0 192.168.200.59/32 -> 68.16.185.34/32
map hme0 68.16.185.134/32 -> 192.168.200.59/32
List of active sessions:
List of active host mappings: