[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: port blocking? oracle problem? Other?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: port blocking? oracle problem? Other?
- From: Matt Simonsen <matt_(_at_)_careercast_(_dot_)_com>
- Date: Fri, 15 Feb 2002 21:07:32 -0800
- Cc: john abbott <john_(_dot_)_abbott_(_at_)_pca_(_dot_)_state_(_dot_)_mn_(_dot_)_us>
- Reply-to: matt_(_at_)_careercast_(_dot_)_com
The maximum tells you the state table is definatly filling - this is bad and
results in the packets being blocked.
I'd guess something is wrong in your rules, unless you are pushing a pretty
good deal of traffic through it - in which case you may need to recompile
with a higher max states setting.
But I would only do that after you are totally sure your rules are
perfect.... One thing to consider, you may be keeping state on packets that
are not the first of the session - IPF doesn't like this.
On Friday 15 February 2002 06:21 pm, john abbott wrote:
> Whoa, when I do a ipfstat -s, what I get is thousands and thousands of:
> 192.168.1.18 -> 184.108.40.206 ttl 844551 pass 0x1006 pr 6 state 4/4
> pkts 9 bytes 1820 80 -> 53747 f85dcf3f:5862bc8c
> pass out keep state
> pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0
> pkt_security & ffff = 0, pkt_auth & ffff = 0
> interfaces: in fxp1[0xe084c23c] out fxp0[0xe084c63c]
> and similar. but if I grep it for maximum I get:
> webwall# ipfstat -s | grep maximum
> 108864 maximum
> This is a firewall that has been up for... oh, about an hour --and is
> blocking port 53 and 1521 again. I guess I will have to look at my rule
> set. I thought I had to maintain state for all outgoing packets to have
> it be quicker? Maybe this speed issue is not as important as the state
> On Fri, 2002-02-15 at 18:48, Matt Simonsen wrote:
> > On Friday 15 February 2002 04:36 pm, john abbott wrote:
> > > Is there anything I can do about this? More RAM, more HD more
> > > processor? I think I only maintain state on outgoing stuff. Is there
> > > a way I can tell if this is [about to] happening?
> > What do you get for ipfstat -s for "maximum"? if it's not 0, especially
> > if it's growing regulrly (ours is 6 on a firewall that's been up 3
> > months) then your state table is filling up.
> > Then it's determining why it's growing.... if the rules are correct (and
> > I suspect they may not be, especially the pass out tcp/udp keep state)
> > you'd need to recompile IPFilter with a higher max state option. Keeping
> > state incorrectly can also cause the table to fill up.
> > Matt