Strange Behaviour - ignoring rules after a block in log

Tue, 16 May 2006 17:48:23 -0700 

Hey there,
I have a couple of Solaris 8 boxs running ip filter v3.4.20, two days ago both boxes suddenly stopped responding to traffic and only began forwarding traffic again when ipfilter was restarted. 


The ipf.conf files had not been modified and matched the output of an 
ipfstat -nih and an ipfstat -noh when logging into the boxes via a 
console port. It also appeared that no one had logged into the box at 
the time this happened (approx 11pm at night time). For all intents, ipf 
spontaneously started ignoring every rule after rule 3.



Has any one else experienced this ? I found it especially strange that 
this happened simultaneously on two boxes while a third, also running 
ipf (same version) was unaffected.



I've been through the changelogs up to the latest 3.4.x version and can 
see no reference to a fix for this..


system based goodness and logs.


PS: I know the ruleset contains a number of redundant rules - we are 
busy refining these at the moment :-)


[EMAIL PROTECTED]:/opt/ipf/bin# uname -a
SunOS sf1663 5.8 Generic_117350-31 sun4u sparc SUNW,Sun-Fire-V490

output of ipfstat -nih and -noh (taken at time of incident)

[EMAIL PROTECTED]:/export/home/t922181# more ipfstat.out
0 @1 pass out quick on lo0 from any to any
677231 @2 block out log level local0.notice from any to any

0 @3 pass out quick on ce0 proto udp from 222.x.x.x/32 to any keep state 
keep frags
1716 @4 pass out quick on ce1 proto udp from 222.x.x.x/32 to any keep 
state keep frags

2 @5 pass out quick proto icmp from any to any keep state

11 @6 pass out quick on ce2 proto tcp/udp from any to any keep state 
keep frags
675502 @7 pass out quick on ce4 proto tcp/udp from any to any keep state 
keep frags


[EMAIL PROTECTED]:/export/home/t922181# cat ipfstat.in
0 @1 pass in quick on lo0 from any to any
0 @2 pass in quick on ce4 from 10.111.70.210/32 to 10.111.125.14/32
104476 @3 block in log level local0.notice from any to any

29 @4 pass in quick on ce4 proto tcp from any to 10.111.125.14/32 port = 
22 flags S/FSRPAU keep state
0 @5 pass in quick on ce4 proto tcp from 10.111.70.0/24 to 
10.111.125.14/32 port = 22 flags S/FSRPAU keep state
0 @6 pass in quick on ce2 proto tcp from any to any port = 22 flags 
S/FSRPAU keep state
0 @7 pass in quick on ce4 proto tcp from 192.168.143.0/24 to 
10.111.125.14/32 port = 22 flags S/FSRPAU keep state
3 @8 pass in quick on ce4 proto tcp from 10.111.70.0/24 to 
10.111.125.14/32 port = 80 flags S/FSRPAU keep state
1 @9 pass in quick on ce4 proto tcp from 10.111.70.0/24 to 
10.111.125.14/32 port = 6100 flags S/FSRPAU keep state
1716 @10 pass in quick on ce0 proto udp from any to 222.x.x.x/32 port = 
1645 keep state keep frags
0 @11 pass in quick on ce0 proto udp from any to 222.x.x.x/32 port = 
1646 keep state keep frags
0 @12 pass in quick on ce4 proto udp from 10.111.64.215/32 to 
10.111.125.14/32 port = 161 keep state keep frags
0 @13 pass in quick on ce4 proto udp from 10.111.64.217/32 to 
10.111.125.14/32 port = 161 keep state keep frags
0 @14 pass in quick on ce4 proto udp from 146.x.x.x/32 to 
10.111.125.14/32 port = 161 keep state keep frags
0 @15 pass in quick on ce4 proto udp from 192.168.0.17/32 to 
10.111.125.14/32 port = 161 keep state keep frags
20418 @16 pass in quick on ce4 proto udp from 10.111.125.25/32 to 
10.111.125.14/32 port = 161 keep state keep frags
0 @17 pass in quick on ce4 proto udp from 10.111.125.5/32 to 
10.111.125.14/32 port = 161 keep state keep frags
0 @18 pass in quick on ce4 proto tcp from 192.168.143.0/24 to 
10.111.125.14/32 port = 1521 flags S/FSRPAU keep state
12 @19 pass in quick on ce2 proto tcp from any to 222.x.x.x/32 port = 
1521 flags S/FSRPAU keep state
0 @20 pass in quick on ce4 proto tcp from 146.x.x.x/32 to 
10.111.125.14/32 port = 6389 flags S/FSRPAU keep state
0 @21 pass in quick on ce4 proto tcp from 146.x.x.x/32 to 
10.111.125.14/32 port = 6389 flags S/FSRPAU keep state
12910 @22 pass in quick on ce4 proto tcp from 10.111.125.30/32 to 
10.111.125.14/32 port = 6389 flags S/FSRPAU keep state
12898 @23 pass in quick on ce4 proto tcp from 10.111.125.31/32 to 
10.111.125.14/32 port = 6389 flags S/FSRPAU keep state
0 @24 pass in quick on ce4 proto tcp from 192.168.143.166/32 to 
10.111.125.14/32 port = 1827 flags S/FSRPAU keep state
5320 @25 pass in quick on ce4 proto tcp from 146.x.x.x/32 to 
10.111.125.14/32 port = 10555 flags S/FSRPAU keep state
5318 @26 pass in quick on ce4 proto tcp from 146.x.x.x/32 to 
10.111.125.14/32 port = 5798 flags S/FSRPAU keep state
11 @27 pass in quick on ce4 proto tcp from 146.x.x.x/32 to 
10.111.125.14/32 port = 10555 flags S/FSRPAU keep state
0 @28 pass in quick on ce4 proto tcp from 146.x.x.x/32 to 
10.111.125.14/32 port = 5798 flags S/FSRPAU keep state
0 @29 pass in quick on ce4 proto tcp from 146.x.x.x/32 to 
10.111.125.14/32 port = 4105 flags S/FSRPAU keep state
0 @30 pass in quick on ce4 proto tcp from 146.x.x.x/32 to 
10.111.125.14/32 port = 9990 flags S/FSRPAU keep state
0 @31 pass in quick on ce4 proto tcp from 146.x.x.x/32 to 
10.111.125.14/32 port = 9991 flags S/FSRPAU keep state
0 @32 pass in quick on ce4 proto tcp from 146.x.x.x/32 to 
10.111.125.14/32 port = 7774 flags S/FSRPAU keep state
0 @33 pass in quick on ce4 proto udp from 146.x.x.x/32 to 
10.111.125.14/32 port = 4104 keep state keep frags
0 @34 pass in quick on ce4 proto udp from 146.x.x.x/32 to 
10.111.125.14/32 port = 6665 keep state keep frags
0 @35 pass in quick on ce4 proto tcp from 192.x.x.x/32 to 
10.111.125.14/32 port = 3742 keep state keep frags

0 @36 pass in quick proto icmp from any to any icmp-type echorep
0 @37 pass in quick proto icmp from any to any icmp-type unreach
2 @38 pass in quick proto icmp from any to any icmp-type echo
0 @39 pass in quick proto icmp from any to any icmp-type timex

0 @40 pass in quick on ce4 proto tcp/udp from any to any port = ntp keep 
state

0 @41 block in on ce0 proto tcp/udp from any to any port = ntp
0 @42 block in on ce1 proto tcp/udp from any to any port = ntp
0 @43 block in on ce2 proto tcp/udp from any to any port = ntp
0 @44 block in on lo0 proto tcp/udp from any to any port = ntp


and the log entries showing the rule 3 being hit.. (there are more of 
these but this shows packets arriving in on interface ce4 that should 
match input rule 4 but appear to be captured by rule 3 instead)



May 16 19:33:36 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
19:33:35.508436  ce4 @0:3 b 10.111.64.157,46461 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN
May 16 19:34:36 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
19:34:35.512041  ce4 @0:3 b 10.111.64.157,46461 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN
May 16 21:45:03 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:45:02.304607  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -A IN
May 16 21:45:06 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:45:05.674580  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -A IN
May 16 21:45:13 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:45:12.424512  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -A IN
May 16 21:45:25 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:45:25.210058  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN
May 16 21:45:26 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:45:25.924389  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -A IN
May 16 21:45:29 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:45:28.570870  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN
May 16 21:45:36 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:45:35.321240  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN
May 16 21:45:49 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:45:48.822391  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN
May 16 21:45:53 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:45:52.924464  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -A IN
May 16 21:46:16 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:46:15.823839  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN
May 16 21:47:10 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:47:09.827254  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN
May 16 21:47:47 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:47:46.924356  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -A IN
May 16 21:48:10 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:48:09.830665  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN
May 16 21:49:10 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:49:09.834383  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN
May 16 21:50:10 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:50:09.837934  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN
May 16 21:51:10 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:51:09.841502  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN
May 16 21:52:10 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:52:09.845085  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN
May 16 21:53:10 sf1663 ipmon[24840]: [ID 702911 local0.notice] 
21:53:09.848907  ce4 @0:3 b 10.111.64.157,46488 -> 10.111.125.14,22 PR 
tcp len 20 40 -AF IN


Any help on this would be appreciated :-)

Thanks,

--
Steve.






















					Reply via email to