issue with IPF firewall state tables

Murray Taylor MTaylor at
Mon Nov 7 04:53:05 UTC 2011

Back Story:

Old Server (X32 system, probably FreeBSD 4.3-ish) 
New Server (Dual core, X64 with plenty of RAM) running 8.1-RELEASE

New Server was put in production last night as a core router, with 
the same rc.conf, firewall rule set and config from the old router 
that has been working for years.

At around 12 Lunchtime we had reports of no internet connectivity, 
I've jumped onto the router and seen that it is blocking a whole 
heap of internal to external DNS server traffic, along with other 
would-be allowed traffic.

I promptly flushed the firewall ruleset with "ipf -Fa", and noted 
that the rules did clear - Issue still existing.
I re-loaded the rule set, no change.
Upon restart, the router began to behave itself again...

I have been using "ipfstat -ts | grep active" to get a count of 
state entries, and comparing to the 4013 default.

We are sitting on around ~2000 state entries. I am aware I can 
flush the state table, but until the router breaks itself again, 
I cannot clear it.

Does this sound like a full state table? Am I using the best 
method to check? Is there any form of notification that this 
is happening anywhere?

Murray Taylor
Bytecraft Systems
Special Projects Engineer

P: +61 3 8710 0600
D: +61 3 9238 5168
F: +61 3 9238 5140

 |_|0|_|        "Absence of evidence
 |_|_|0|        is not evidence of absence"
 |0|0|0|        Carl Sagan

The information transmitted in this e-mail is for the exclusive
use of the intended addressee and may contain confidential
and/or privileged material. Any review, re-transmission,
dissemination or other use of it, or the taking of any action
in reliance upon this information by persons and/or entities
other than the intended recipient is prohibited. If you
received this in error, please inform the sender and/or
addressee immediately and delete the material. 

E-mails may not be secure, may contain computer viruses and
may be corrupted in transmission. Please carefully check this
e-mail (and any attachment) accordingly. No warranties are
given and no liability is accepted for any loss or damage
caused by such matters.

### This e-mail message has been scanned for Viruses by Bytecraft ###

More information about the freebsd-questions mailing list