Ipf problem
Jacob S
stormspotter at 6Texans.net
Tue Jan 10 12:07:06 PST 2006
On Fri, Jan 06, 2006 at 04:05:14PM +0200, Giorgos Keramidas wrote:
> On 2006-01-06 00:17, Jacob S <stormspotter at 6Texans.net> wrote:
> > Hello list,
> >
> > I'm having a problem setting up ipf on a FreeBSD server and can't
> > figure out where I'm going wrong. I copied my ipf.rules file from
> > another server I have where ipf is working great. But after I
> > customized the rules to this server it is filling /var/log/messages
> > with lines like the following:
> >
> > Jan 4 15:15:21 pikeman ipmon[222]: 15:15:21.465822 2x em0 @0:33 b
> > 198.32.64.12,53 -> 65.19.150.68,62097 PR udp len 20
> > 314 IN Jan 4 15:15:21 pikeman ipmon[222]: 15:15:21.492578 em0 @0:33 b
> > 216.200.145.35,25 -> 65.19.150.68,57210 PR tcp len 20 60 -AS IN Jan 4
> > 15:15:21 pikeman ipmon[222]: 15:15:21.505821 em0 @0:33 b
> > 205.188.156.249,25 -> 65.19.150.68,57209 PR tcp len 20 48 -AS IN
<snip>
> The blocked packets fall through the chain of rules and end up in rule
> 0:33 (0 = incoming, 33 = block in log first quick on em0 all).
>
> > The lines scroll by faster than I can read them, if I tail the logfile.
> > The blocked packets in this case are coming from standard ports to
> > non-standard ports. Doing a reverse lookup on the ips, it would seem
> > that my server has initiated the transfer and the other servers are
> > simply replying. (I deduce that from the blocked ips because they belong
> > to hostnames that I would not expect to be flooding my server. Namely,
> > the first ip is for l.root-servers.net.)
>
> This seems to be an issue with the timeout of rule states. What do you
> see if you run...
>
> $ sysctl -a | fgrep ipf.
>
> it should be something like:
>
> net.inet.ipf.fr_minttl: 4
> net.inet.ipf.fr_chksrc: 0
> net.inet.ipf.fr_defaultauthage: 600
> net.inet.ipf.fr_authused: 0
> net.inet.ipf.fr_authsize: 32
> net.inet.ipf.ipf_hostmap_sz: 2047
> net.inet.ipf.ipf_rdrrules_sz: 127
> net.inet.ipf.ipf_natrules_sz: 127
> net.inet.ipf.ipf_nattable_sz: 2047
> net.inet.ipf.fr_statemax: 4013
> net.inet.ipf.fr_statesize: 5737
> net.inet.ipf.fr_running: 1
> net.inet.ipf.fr_ipfrttl: 120
> net.inet.ipf.fr_defnatage: 1200
> net.inet.ipf.fr_icmptimeout: 120
> net.inet.ipf.fr_udpacktimeout: 24
> net.inet.ipf.fr_udptimeout: 240
> net.inet.ipf.fr_tcpclosed: 120
> net.inet.ipf.fr_tcptimeout: 480
> net.inet.ipf.fr_tcplastack: 480
> net.inet.ipf.fr_tcpclosewait: 480
> net.inet.ipf.fr_tcphalfclosed: 14400
> net.inet.ipf.fr_tcpidletimeout: 864000
> net.inet.ipf.fr_active: 0
> net.inet.ipf.fr_pass: 134217730
> net.inet.ipf.fr_flags: 0
sysctl -a | fgrep ipf shows this on the problem server:
net.inet.ipf.fr_flags: 0
net.inet.ipf.fr_pass: 514
net.inet.ipf.fr_active: 0
net.inet.ipf.fr_tcpidletimeout: 864000
net.inet.ipf.fr_tcpclosewait: 480
net.inet.ipf.fr_tcplastack: 480
net.inet.ipf.fr_tcptimeout: 480
net.inet.ipf.fr_tcpclosed: 120
net.inet.ipf.fr_tcphalfclosed: 14400
net.inet.ipf.fr_udptimeout: 240
net.inet.ipf.fr_udpacktimeout: 24
net.inet.ipf.fr_icmptimeout: 120
net.inet.ipf.fr_icmpacktimeout: 12
net.inet.ipf.fr_defnatage: 1200
net.inet.ipf.fr_ipfrttl: 120
net.inet.ipf.ipl_unreach: 13
net.inet.ipf.fr_running: 1
net.inet.ipf.fr_authsize: 32
net.inet.ipf.fr_authused: 0
net.inet.ipf.fr_defaultauthage: 600
net.inet.ipf.fr_chksrc: 0
net.inet.ipf.ippr_ftp_pasvonly: 0
net.inet.ipf.fr_minttl: 3
net.inet.ipf.fr_minttllog: 1
net.link.ether.ipfw: 0
Incidentally, the server I copied my ipf.rules file from has an
identical output from sysctl -a | fgrep ipf.
Any more thoughts or tips?
Thanks,
Jacob
--
GnuPG Key: 1024D/16377135
Random .signature #19:
Computers are like air conditioners -- they stop working properly if you
open Windows
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060110/e225960b/attachment.bin
More information about the freebsd-questions
mailing list