Date: Fri, 20 Apr 2007 12:16:32 +0200 (CEST) Subject: Re: ipfilter problemer From: "Flemming Laugaard" <none@flemming.laugaard--uni-c.dk.lh.bsd-dk.dk> To: bsd-dk@bsd-dk.dk
> Hej liste,
>
> Jeg har en firewall hos en kunde, som er en FreeBSD 6.2-STABLE.
>
> Den bliver ved med at "stoppe" med at lade trafik komme ind/ud efter
> nogle dages ok drift.
> Når den "stopper" ser loggen således ud:
> ------- cut ----------
> Apr 4 17:15:04 dk-server ipmon[380]: 17:15:04.437901 xl0 @0:153 b
> 158.222.94.229,46712 -> 10.0.0.52,2999 PR tcp len 20 40 -AR IN NAT
> Apr 4 17:15:04 dk-server ipmon[380]: 17:15:04.508066 xl0 @0:153 b
> 24.218.96.10,443 -> 10.0.0.52,2996 PR tcp len 20 64 -AS IN NAT
> Apr 4 17:15:04 dk-server ipmon[380]: 17:15:04.661514 xl0 @0:153 b
> 24.218.96.10,443 -> 10.0.0.52,2996 PR tcp len 20 52 -A IN NAT
> Apr 4 17:15:04 dk-server ipmon[380]: 17:15:04.666647 xl0 @0:153 b
> 75.67.83.9,54266 -> 10.0.0.52,3000 PR tcp len 20 64 -AS IN NAT
> Apr 4 17:15:04 dk-server ipmon[380]: 17:15:04.877866 xl0 @0:153 b
> 82.165.134.179,80 -> 10.0.0.52,2997 PR tcp len 20 44 -AS IN NAT
> Apr 4 17:15:05 dk-server ipmon[380]: 17:15:05.535455 xl0 @0:153 b
> 71.226.83.208,45632 -> 10.0.0.52,2998 PR tcp len 20 64 -AS IN NAT
> Apr 4 17:15:05 dk-server ipmon[380]: 17:15:05.614232 xl0 @0:153 b
> 71.226.83.208,45632 -> 10.0.0.52,2998 PR tcp len 20 52 -A IN NAT
> Apr 4 17:15:05 dk-server ipmon[380]: 17:15:05.777022 xl0 @0:153 b
> 72.19.110.220,28828 -> 10.0.0.52,3001 PR tcp len 20 64 -AS IN NAT
> Apr 4 17:15:06 dk-server ipmon[380]: 17:15:06.210838 xl0 @0:153 b
> 65.189.183.69,23263 -> 10.0.0.52,3005 PR tcp len 20 64 -AS IN NAT
> ------- cut ----------
>
> LAN = 10.0.0.0/24
> Alt er tilladt udadgående.
>
> Hvis jeg så kører
> /etc/rc.d/ipfilter restart
> /etc/rc.d/ipnat restart
> og mit script der sætter reglerne op, så er alt perfekt i endnu en
> variabel tidsramme. Det kan være fra 4-5 timer til 5-6 dage.
>
> I en fejlsituation blokerer den også trafik der ifølge regelsættet er
> tilladt, også selvom det ikke skal NAT'es.
>
> Jeg er lidt tør for ideer, da jeg har lavet mindst 10 firewalls over
> samme "opskrift", og det er den eneste jeg har problemer med.
> Jeg har allerede prøvet at opgradere både kerne og userland, men uden
> det hjalp.
>
> --
> Med venlig hilsen,
>
>
> Henrik Woffinden
>
>
Hej Henrik
Det lyder som om ipf løber tør for resourcer. Har prøvet det selv.
løsningen var at justere IPSTATE_MAX IPSTATE_SIZE.
Har du kigget i http://www.phildev.net/ipf/IPFsolaris.html?
Se her:
*
* ipf: adjust the default tcp timeouts downward so that
* idle (dead) and half closed states get killed off quicker.
set ipf:fr_tcpidletimeout = 172800
set ipf:fr_tcphalfclosed = 7200
*
* ipf: adjust the state table sizes so we have enough buckets.
* IPSTATE_MAX (=fr_statemax) should be ~70% of IPSTATE_SIZE
* IPSTATE_SIZE (=fr_statesize) has to be a prime number
set ipf:fr_statemax = 7000
set ipf:fr_statesize = 10009
*
* ipf: adjust the NAT table sizes so we have enough buckets.
* generally you have fewer than 127 rules in ipnat.conf
* so no need to waste memory for more.
set ipf:ipf_nattable_sz = 10009
set ipf:ipf_natrules_sz = 127
set ipf:ipf_rdrrules_sz = 127
*
* note that the timers run "2 ticks to a second", so
* for example, written below is the following:
* set ipf:fr_tcpidletimeout = 172800
* this sets the tcp idle connection timeout to
* (172800/2) / 3600 = 24 hours.
mvh
Flemming
This archive was generated by hypermail 2b30 : Mon 30 Apr 2007 - 23:00:02 CEST