ipf firewall, dropping connections

phantomcircuit phantomcircuit at covertinferno.org
Mon Oct 26 11:08:14 UTC 2009 

I'm guessing you have kernel tuning issues that have nothing to do with 
the firewall.

http://www.freebsd.org/doc/en/books/handbook/configtuning-kernel-limits.html

cknipe at savage.za.org wrote:
>
> Hi,
>
> I'm runing 7.2 with IPFilter - main purpose is for a news server.
>
> Many established connections are just dropped and closed, it seems to 
> be random, all allow rules are being affected.  Any insight would be 
> appreciated.  The machine is under heavy usage, averaging arround 150 
> to 200 connections per second.
>
> [root at news ~]# ipfstat
> bad packets:            in 0    out 0
>  IPv6 packets:          in 0 out 0
>  input packets:         blocked 22570422 passed 488309778 nomatch 
> 146719580 counted 0 short 0
> output packets:         blocked 21885 passed 507034679 nomatch 
> 160765161 counted 0 short 0
>  input packets logged:  blocked 22570422 passed 0
> output packets logged:  blocked 0 passed 0
>  packets logged:        input 0 output 0
>  log failures:          input 12571655 output 0
> fragment state(in):     kept 0  lost 0  not fragmented 0
> fragment state(out):    kept 0  lost 0  not fragmented 0
> packet state(in):       kept 14100      lost 2770255
> packet state(out):      kept 22966740   lost 8078847
> ICMP replies:   0       TCP RSTs sent:  0
> Invalid source(in):     0
> Result cache hits(in):  17487490        (out):  21607481
> IN Pullups succeeded:   9       failed: 0
> OUT Pullups succeeded:  1092    failed: 0
> Fastroute successes:    0       failures:       0
> TCP cksum fails(in):    0       (out):  0
> IPF Ticks:      325071
> Packet log flags set: (0)
>         none
>
> [root at wa-cpt-news ~]# cat /etc/ipf.rules
> ############################################################################### 
>
> ### Globals
> ############################################################################### 
>
> block in log quick all with frags                                      
>                               # TCP Fragments
> block in log quick all with short                                      
>                               # Short Fragments
> block in log quick all with ipopts                                     
>                               # Invalid IP Options
>
> ############################################################################### 
>
> ### Loopback Interface
> ############################################################################### 
>
> pass in quick on lo0 from any to 127.0.0.0/8
> pass out quick on lo0 from 127.0.0.0/8 to any
>
> ############################################################################### 
>
> ## em0 - Public NIC
> ############################################################################### 
>
> # em0 - Outbound Traffic
> pass out quick on em0 from a.a.a.a to any keep state
> pass out quick on em0 from a.a.a.21 to any keep state
> pass out quick on em0 from a.a.a.22 to any keep state
> pass out quick on em0 from x.x.x.23 to any keep state
> pass out quick on em0 from x.x.x.24 to any keep state
> pass out quick on em0 from x.x.x.59.30 to any keep state
>
> pass in quick on em0 from 196.220.59.0/27 to a.a.a.a                   
>                         # Internal Network Traffic
> pass in quick on em0 proto icmp from any to a.a.a.a keep state         
>                         # ICMP
> pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 
> 22 flags S keep state  # SSH (Office Only)
> pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 
> 22 flags S keep state   # SSH (Office Only)
> pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 
> 22 flags S keep state  # SSH (Office Only)
> pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = 
> 22 flags S keep state   # SSH (Office Only)
> pass in quick on em0 proto tcp from any port = 53 to a.a.a.a           
>                         # DNS (Responces)
> pass in quick on em0 proto udp from any port = 53 to a.a.a.a           
>                         # DNS (Responces)
> pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 
> 80                     # HTTP (Office Only)
> pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 
> 80                      # HTTP (Office Only)
> pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 
> 80                     # HTTP (Office Only)
> pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = 
> 80                      # HTTP (Office Only)
> pass in quick on em0 proto tcp from x.185.0.0/16 to a.a.a.a port = 119 
>                        # NNTP
> pass in quick on em0 proto tcp from x.211.26.0/24 to a.a.a.a port = 
> 119                       # NNTP
> pass in quick on em0 proto tcp from x.220.32.0/19 to a.a.a.a port = 
> 119                      # NNTP
> pass in quick on em0 proto tcp from x.220.63.238/32 to a.a.a.a port = 
> 119                    # NNTP
> pass in quick on em0 proto tcp from x.220.32.228/32 to a.a.a.a port = 
> 119                    # NNTP
> pass in quick on em0 proto tcp from x.220.63.33/32 to a.a.a.a port = 
> 119                     # NNTP
> pass in quick on em0 proto tcp from x.220.42.29/32 to a.a.a.a port = 
> 119                     # NNTP
> pass in quick on em0 proto udp from x.220.59.143/32 to a.a.a.a port = 
> 161                    # SNMP
> pass in quick on em0 proto udp from x.220.63.47/32 to a.a.a.a port = 
> 161                     # SNTP
> pass in quick on em0 proto udp from x.25.1.1 port = 123 to a.a.a.a     
>                       # NTP
> pass in quick on em0 proto udp from x.25.1.9 port = 123 to a.a.a.a     
>                       # NTP
>
> block in log quick on em0                                              
>                               # Deny Everything Else
>
>
> normally, I would have flags S keep state for my tcp connections, but 
> I figured the state tables are runing full and therefore removed them. 
>  With or without flags S keep state, makes no difference, connections 
> (new, as well as existing) are being dropped.
>
> [root at news ~]# sysctl net.inet.ipf
> net.inet.ipf.fr_minttl: 4
> net.inet.ipf.fr_chksrc: 0
> net.inet.ipf.fr_defaultauthage: 600
> net.inet.ipf.fr_authused: 0
> net.inet.ipf.fr_authsize: 32
> net.inet.ipf.ipf_hostmap_sz: 2047
> net.inet.ipf.ipf_rdrrules_sz: 127
> net.inet.ipf.ipf_natrules_sz: 127
> net.inet.ipf.ipf_nattable_sz: 2047
> net.inet.ipf.fr_statemax: 4013
> net.inet.ipf.fr_statesize: 5737
> net.inet.ipf.fr_running: 1
> net.inet.ipf.fr_ipfrttl: 120
> net.inet.ipf.fr_defnatage: 1200
> net.inet.ipf.fr_icmptimeout: 120
> net.inet.ipf.fr_udpacktimeout: 24
> net.inet.ipf.fr_udptimeout: 240
> net.inet.ipf.fr_tcpclosed: 60
> net.inet.ipf.fr_tcptimeout: 480
> net.inet.ipf.fr_tcplastack: 60
> net.inet.ipf.fr_tcpclosewait: 480
> net.inet.ipf.fr_tcphalfclosed: 14400
> net.inet.ipf.fr_tcpidletimeout: 864000
> net.inet.ipf.fr_active: 0
> net.inet.ipf.fr_pass: 134217730
> net.inet.ipf.fr_flags: 0
>
> [root at news ~]# sockstat -4|wc -l
>     1175
>
> Any help much appreciated.
>
> Regards,
> Chris.
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list