We're running Solaris 10U8, with the latest ipfilter patch. We're having a problem where inbound connections that should be allowed by a stateful rule are being dropped.
For example: Apr 12 16:31:53 kyle ipmon[117]: [ID 702911 local0.warning] 16:31:53.771244 e1000g0 @20:10 b 134.71.247.49,712 -> 134.71.247.14,2049 PR tcp len 20 60 -S IN This blocked SYN packet shows it was blocked by rule 20:10: @10 pass in quick proto tcp from 134.71.0.0/16 to any port = nfsd flags S/SA keep state group 20 This packet should have been passed by this rule, not blocked. I have an open SR with Sun, and based on a non-zero value for lost inbound state: packet state(in): kept 1213044 lost 1317 They're saying the problem is caused by the state table filling up and advise increasing the size of the state table. We did so: fr_statemax min 0x1 max 0x7fffffff current 72901 fr_statesize min 0x1 max 0x7fffffff current 104147 But were still seeing the problem. I started logging the size of the state table every minute, and it would appear it's nowhere near full. The state table only had about 300 entries when the above packet was dropped. Sun wants me to keep increasing the size of the state table. This doesn't make much sense to me. I started logging the number of lost inbound states in addition to the size of the state table: 04/12/10-16:37 227 in use lost 1312 04/12/10-16:38 225 in use lost 1312 04/12/10-16:39 261 in use lost 1312 04/12/10-16:40 264 in use lost 1312 04/12/10-16:41 286 in use lost 1313 04/12/10-16:42 274 in use lost 1313 04/12/10-16:43 177 in use lost 1313 04/12/10-16:44 272 in use lost 1313 04/12/10-16:45 270 in use lost 1313 04/12/10-16:46 242 in use lost 1314 04/12/10-16:47 335 in use lost 1314 04/12/10-16:48 363 in use lost 1314 04/12/10-16:49 308 in use lost 1314 04/12/10-16:50 296 in use lost 1314 04/12/10-16:51 307 in use lost 1314 04/12/10-16:52 255 in use lost 1314 04/12/10-16:53 264 in use lost 1314 04/12/10-16:54 254 in use lost 1314 04/12/10-16:55 285 in use lost 1314 04/12/10-16:56 274 in use lost 1314 04/12/10-16:57 209 in use lost 1314 04/12/10-16:58 324 in use lost 1315 04/12/10-16:59 292 in use lost 1315 04/12/10-17:00 212 in use lost 1315 04/12/10-17:01 279 in use lost 1315 04/12/10-17:02 249 in use lost 1316 04/12/10-17:03 256 in use lost 1316 04/12/10-17:04 275 in use lost 1316 04/12/10-17:05 205 in use lost 1316 04/12/10-17:06 158 in use lost 1316 Even with a number of states that's only a tiny fraction of the state table size, the lost count is increasing. The increase between 17:01 and 17:02 seems to be from this: Apr 12 17:01:38 kyle ipmon[117]: [ID 702911 local0.warning] 17:01:38.365279 e1000g0 @20:11 b 134.71.247.42,52374 -> 134.71.247.14,80 PR tcp len 20 60 -S IN which should have been passed: @11 pass in quick proto tcp from 134.71.247.0/24 to any port = 80 flags S/SA keep state group 20 Any idea what's going on or how to fix it? Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | [email protected] California State Polytechnic University | Pomona CA 91768
