issue with IPF firewall state tables
Murray Taylor
MTaylor at bytecraft.com.au
Mon Nov 7 04:53:05 UTC 2011
Back Story:
Old Server (X32 system, probably FreeBSD 4.3-ish)
New Server (Dual core, X64 with plenty of RAM) running 8.1-RELEASE
New Server was put in production last night as a core router, with
the same rc.conf, firewall rule set and config from the old router
that has been working for years.
At around 12 Lunchtime we had reports of no internet connectivity,
I've jumped onto the router and seen that it is blocking a whole
heap of internal to external DNS server traffic, along with other
would-be allowed traffic.
I promptly flushed the firewall ruleset with "ipf -Fa", and noted
that the rules did clear - Issue still existing.
I re-loaded the rule set, no change.
Upon restart, the router began to behave itself again...
I have been using "ipfstat -ts | grep active" to get a count of
state entries, and comparing to the 4013 default.
We are sitting on around ~2000 state entries. I am aware I can
flush the state table, but until the router breaks itself again,
I cannot clear it.
Does this sound like a full state table? Am I using the best
method to check? Is there any form of notification that this
is happening anywhere?
--
Murray Taylor
Bytecraft Systems
Special Projects Engineer
P: +61 3 8710 0600
D: +61 3 9238 5168
F: +61 3 9238 5140
|_|0|_| "Absence of evidence
|_|_|0| is not evidence of absence"
|0|0|0| Carl Sagan
---------------------------------------------------------------
The information transmitted in this e-mail is for the exclusive
use of the intended addressee and may contain confidential
and/or privileged material. Any review, re-transmission,
dissemination or other use of it, or the taking of any action
in reliance upon this information by persons and/or entities
other than the intended recipient is prohibited. If you
received this in error, please inform the sender and/or
addressee immediately and delete the material.
E-mails may not be secure, may contain computer viruses and
may be corrupted in transmission. Please carefully check this
e-mail (and any attachment) accordingly. No warranties are
given and no liability is accepted for any loss or damage
caused by such matters.
---------------------------------------------------------------
### This e-mail message has been scanned for Viruses by Bytecraft ###
More information about the freebsd-questions
mailing list