On Mon, 31 Mar 2008, Rugen, Len wrote:
I inherited a group of Solaris systems. They have been having some problems since before I was assimilated that I think I've tracked down to ipfilter.
I'm new to this list, and this is like the second submission I got in like several weeks. Is the volume of this list is really that low or are responses encouraged to reply straight to the original poster?
The problem first described was the Veritas Vxsvc process would become unresponsive and unkillable until reboot. I finally discovered that this didn't happen until ipf rules were changed. The prior technique was ipfboot stop and ipfboot start. I changed this to ipfboot reload and it is much better. Before it died every time, if not immediately, after a few days, now it has just failed once after many changes.
This is not surprising as a stop/start will probably dump your state table leaving existing connections orphaned.
It looks like ipf was downloaded and installed as a precompiled package. Any suggestions / opinions on upgrading ipfilter on these systems? I'm currently reviewing the rules and to me, they are UGLY. Could cleaner rules help? They have very few KEEP STATE, maybe 500 entries and no grouping. From ipfstat, particularly for the pass out rules, few if any have count other than 0.
I would think that no set of rules, no matter how ugly, should ever crash the firewall/kernel and cause what seems to be a data alignment error (i.e. accessing word values on non-word boundaries). This looks like a bug in IPF, and more knowledgable people could probably guess which bug. I would hazard a guess that an upgrade to the latest IPF might be in order. But straightening out your rules is a good thing to do, regardless of whether it fixes your bug. Joseph Tam <[EMAIL PROTECTED]>
