Thanks.
I am a little apprehensive about publishing my entire firewall ruleset on a
public list, as you can surely understand. Especially since I am still
learning, and will probably show everyone some glaring holes which have not
yet closed...
Anyway, the entire ruleset does not have a single log directive:
---
root fox:~# ipfstat -nioh | grep log
root fox:~#
---
I have enabled global logging of accepted packets by 'ipf -l pass'. Also,
as you can see in the extract I sent all the packets being logged are from
my rule #21, so I think that rules out duplication due to multiple rule
matches. Rule 21 is for HTTPS traffic, and it does Keep State, as can be
seen in the log entries too.
As for nat, the only rule I have which affects 192.168.0.180 is this:
---
map ed1 from 192.168.0.0/16 to any - 168.209.221.66/32
---
The result of this NAT rule can be seen in snip (2) included with my
original mail.
If this is not enough info I'll email you direct with more...
Thanks for your response.
Patrick.
- Original Message -
From: fbsd_user [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, January 05, 2004 3:40 PM
Subject: RE: Apparent packet duplication logged by IPF
Kind of like asking someone to work in the dark. You need to post
your rules for both ipf ipnat so people can compare the log
results to the actual rules.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Monday, January 05, 2004 3:00 AM
To: FreeBSD Question List
Subject: IPF: Apparent packet duplication logged by IPF
Hi all.
I am having a strange situation with IPF. I am trying to log all
passed
packets (the log is passed to a third-party stats program for
graphical
analysis).
The problem is that I see many packets apparently being duplicated
in the
ipmon.log. The packet enters the firewall from the internal
interface OK,
but it appears to be transmitted out to the internet twice.
Conversely,
there are often multiple inbound packets from the internet which
become just
one on the internal interface.
See these two examples (beware of line-wrap):
1) Internet to LAN
09:30:00.508378 2x ed1 @0:21 P 196.35.72.139,443 -
192.168.0.180,1277 PR
tcp len 20 296 -AP K-S IN
09:30:00.509446 hdlc5 @0:21 P 196.35.72.139,443 -
192.168.0.180,1277 PR tcp
len 20 296 -AP K-S OUT
2) LAN to internet (168.209.221.66 is my NAT address)
09:30:00.616102 hdlc5 @0:21 P 192.168.0.180,1277 -
196.35.72.139,443 PR tcp
len 20 40 -A K-S IN
09:30:00.616188 ed1 @0:21 P 168.209.221.66,1277 - 196.35.72.139,443
PR tcp
len 20 40 -A K-S OUT
09:30:00.616275 ed1 @0:21 P 168.209.221.66,1277 - 196.35.72.139,443
PR tcp
len 20 40 -A K-S OUT
I don't believe the packets are ACTUALLY being resent twice, because
the
stats I have under MRTG indicate matching traffic volumes on the
corresponding interfaces. I suspect the issue has something to do
with how
IPF and IPMON log the packets. But I'm not sure.
Any help in understanding/fixing this would be greatly appreciated.
Regards,
Patrick O'Reilly.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
