Re: Problems with stateful filtering in 4.1.22

Tue, 22 May 2007 23:32:45 -0700 

Darren Reed wrote:


I think the first thing to try is to also record the state log data...so look
 at adding "-a" to the ipmon command line.  This will help you determine if
the packets above are just arriving "late" or if they're not being matched up
correctly.



Still same problems with the latest NetBSD 4.0_BETA2 with IPF 4.1.22. And this 
is very easy to trigger...



p130:~> date | mail -s TEST my-netbsd-address-here

ROOT p130:~> ipfstat -t
Source IP             Destination IP         ST   PR   #pkts    #bytes       ttl
xxx.xxx.xxx.130,65163 204.152.190.11,25     A/7  tcp       7       493      3:58

ROOT p130:~> ipfstat -s
IP states added:
        40 TCP
        3563 UDP
        0 ICMP
        30072 hits
        400935 misses
        0 bucket full
        0 maximum rule references
        0 maximum
        0 no memory
        6 bkts in use
        6 active
        3562 expired
        35 closed
State logging enabled

State table bucket statistics:
        6 in use
        0.10% bucket usage
        0 minimal length
        1 maximal length
        1.000 average length

TCP Entries per state
     0     1     2     3     4     5     6     7     8     9    10    11
     0     0     0     0     0     0     0     0     0     0     5     0


p130:~> tail -f /var/log/messages | grep 'ipmon.*smtp'

May 23 09:19:11 p130 ipmon[3816]: 09:19:11.488025 STATE:NEW 
p130.mydomain.com[xxx.xxx.xxx.130],65163 -> mail.netbsd.org[204.152.190.11],smtp 
PR tcp
May 23 09:19:14 p130 ipmon[3816]: 09:19:14.357273 bnx0 @0:37 b 
mail.netbsd.org[204.152.190.11],smtp -> p130.mydomain.com[xxx.xxx.xxx.130],65163 
PR tcp len 20 52 -A IN
May 23 09:19:16 p130 ipmon[3816]: 09:19:16.361533 bnx0 @0:37 b 
mail.netbsd.org[204.152.190.11],smtp -> p130.mydomain.com[xxx.xxx.xxx.130],65163 
PR tcp len 20 52 -A IN
May 23 09:19:19 p130 ipmon[3816]: 09:19:19.373691 bnx0 @0:37 b 
mail.netbsd.org[204.152.190.11],smtp -> p130.mydomain.com[xxx.xxx.xxx.130],65163 
PR tcp len 20 52 -A IN
May 23 09:19:25 p130 ipmon[3816]: 09:19:25.398174 bnx0 @0:37 b 
mail.netbsd.org[204.152.190.11],smtp -> p130.mydomain.com[xxx.xxx.xxx.130],65163 
PR tcp len 20 52 -A IN
May 23 09:19:38 p130 ipmon[3816]: 09:19:37.447426 bnx0 @0:37 b 
mail.netbsd.org[204.152.190.11],smtp -> p130.mydomain.com[xxx.xxx.xxx.130],65163 
PR tcp len 20 52 -A IN
May 23 09:21:20 p130 ipmon[3816]: 09:21:20.078742 STATE:CLOSE 
p130.mydomain.com[xxx.xxx.xxx.130],65163 -> mail.netbsd.org[204.152.190.11],smtp 
PR tcp Forward: Pkts in 0 Bytes in 0 Pkts out 13 Bytes out 805 Backward: Pkts in 
8 Bytes in 702 Pkts out 0 Bytes out 0



> Check the changes to the timeouts in ip_state.c

I'll do that later.

Martti






















					Reply via email to