I experienced some serieus core dumps as well in the past on a random basis. The next one, I will send to IBM
Miguel SANDERS ArcelorMittal Gent UNIX System Administrator | SAP Infrastructure Group John Kennedylaan 51, B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E [EMAIL PROTECTED] www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens km Verzonden: vrijdag 22 februari 2008 1:07 Aan: [email protected] Onderwerp: Re: ipfilter AIX - blocking on pass out, keep state rule On 21/02, Steve Clark wrote: > km wrote: > >Hi, > > > >I am seeing some behaviour I dont think I should on AIX with ipfilter > >4.1.13. > > > >All outgoing DNS requests are getting blocked and this is what ipmon shows: > > > >Feb 21 00:10:31 sebotp520-1 local0:warn|warning ipmon[254018]: 01:00: > >00.000000 en5 @0:3 b xxx.xxx.100.234,34002 -> xxx.xxx.166.18,53 PR > >udp len 20 73 OUT > > > ># ipfstat -nio > >@1 block out log all > >@2 pass out quick on en5 proto udp from any to any keep state keep > >frags > >@3 pass out quick on en5 proto udp from any to any port = domain keep > >state keep frags > > > >Why is it blocking on a pass rule, because of missing state? > >Allowing port 53 stateless lets the packets through. > > > >Looking at the ipfstat output shows alot of state (out) lost packets. > >Should > >this really be, I dont see that at my fbsd/ipfilfter at home? > > > >Some cut-n-paste info below. > > > >I will look into this deeper tomorrow evening but any pointers would > >be appreciated. > > > >-km > > > > > > > ># ipf -V > >ipf: IP Filter: v4.1.13 (480) > >Kernel: IP Filter: v4.1.13 > >Running: yes > >Log Flags: 0 = none set > >Default: pass all, Logging: available Active list: 0 Feature mask: > >0x87 > > > ># uname -a > >AIX sebotp520-1 3 5 0008FAE6D700 > > > ># oslevel -s > >5300-06-03-0732 > > > ># ipfstat -sl > >... > >sebotp520-1 -> xxx.xxx.166.18 pass 0x40004702 pr 17 state 0/0 bkt 85 > > tag 0 ttl 24 32872 -> 53 > > forward: pkts in 0 bytes in 0 pkts out 2 bytes out 125 > > backward: pkts in 2 bytes in 125 pkts out 0 bytes out 0 > > pass out quick keep frags keep state IPv4 > > pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, > > ffffffff = 0 > > pkt_security & ffff = 0, pkt_auth & ffff = 0 > > is_flx 0 0x1 0x1 0 > > interfaces: in -[],en5[en5] out en5[en5],-[] > > Sync status: not synchronized ... > > > ># ipfstat -s > >IP states added: > > 910 TCP > > 1199 UDP > > 8 ICMP > > 17498769 hits > > 9872 misses > > 0 maximum > > 0 no memory > > 79 bkts in use > > 1002 active > > 0 expired > > 11 closed > >State logging enabled > > > >State table bucket statistics: > > 79 in use > > 62.20% bucket usage > > 0 minimal length > > 14 maximal length > > 12.684 average length > > > ># ipfstat > >bad packets: in 0 out 0 > > input packets: blocked 5435 passed 11500856 nomatch 0 counted 0 > > short 0 > >output packets: blocked 5229 passed 6003187 nomatch 0 counted 0 > >short 0 > > input packets logged: blocked 4946 passed 0 output packets logged: > >blocked 5186 passed 0 > > packets logged: input 0 output 0 > > log failures: input 3705 output 4786 > >fragment state(in): kept 0 lost 0 not fragmented 0 > >fragment state(out): kept 0 lost 0 not fragmented 0 > >packet state(in): kept 319 lost 592 > >packet state(out): kept 798 lost 9589 > >ICMP replies: 0 TCP RSTs sent: 0 > >Invalid source(in): 0 > >Result cache hits(in): 1852 (out): 178 > >IN Pullups succeeded: 0 failed: 0 > >OUT Pullups succeeded: 0 failed: 0 > >Fastroute successes: 0 failures: 0 > >TCP cksum fails(in): 0 (out): 0 > >IPF Ticks: 0 > >Packet log flags set: (0) > > none > > > > > I ran into the same problem with icmp on 4.13 using freebsd - had to > upgrade to 4.1.26 Yep, something is definitely wrong. The server crashed hard today as well. Core dumped on floor :) I've gone over to pure stateless filtering now and will stress test it for a couple of days. I actually dont have a need for keeping state for this particular setup but it would be really nice to have a stable working ipfilter on AIX in the future. -km **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. ****
