Re: PFil 2.1.10 can not load on Solaris 8

Tue, 13 Jun 2006 02:37:42 -0700 

Darren Reed wrote:
> Can you identify where these packets go?

All those I'm interested in are coming from the same machine: they are
cascaded proxies. The one I'm having trouble with is the outside proxy.
The inside proxy is the one from which all connections come, a few of
those are blocked.
However, the same problem happen with many other web sites.

> pfil stats show anything?

Where do I find those on Solaris? kstat doesn't show anything?

It's loaded, that's for sure:
# ifconfig e1000g0 modlist
0 arp
1 ip
2 pfil
3 e1000g


> ipfstat?

Nothing obvious to me:

# ipfstat
bad packets:            in 0    out 0
 IPv6 packets:          in 0 out 0
 input packets:         blocked 5108 passed 3627735 nomatch 165 counted
0 short 0
output packets:         blocked 7533 passed 3512062 nomatch 2196 counted
0 short  0
 input packets logged:  blocked 5108 passed 30
output packets logged:  blocked 7526 passed 0
 packets logged:        input 0 output 0
 log failures:          input 21 output 4
fragment state(in):     kept 0  lost 0  not fragmented 0
fragment state(out):    kept 0  lost 0  not fragmented 0
packet state(in):       kept 121296     lost 240
packet state(out):      kept 71694      lost 201
ICMP replies:   0       TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  121481  (out):  116016
IN Pullups succeeded:   255     failed: 0
OUT Pullups succeeded:  2       failed: 0
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
IPF Ticks:      7348
Packet log flags set: (0)
        none

# ipfstat -s
IP states added:
        184708 TCP
        9650 UDP
        0 ICMP
        6223439 hits
        1037384 misses
        311 maximum
        0 no memory
        1021 bkts in use
        1190 active
        9582 expired
        183586 closed
State logging enabled

State table bucket statistics:
        1021 in use
        17.80% bucket usage
        0 minimal length
        4 maximal length
        1.166 average length

> netstat?

Since it's a proxy, a few thousands of TIME_WAIT, all from the same
originating IP.

# netstat -an | grep 3128 | grep -v TIME_WAIT | wc -l
      94
# netstat -an | grep 3128 | grep TIME_WAIT | wc -l
    3187

The packets blocked are incoming (SYN on an authorized port w/ a "flags
S keep state" rule), or outgoing, on a the same rule, so the state
should allow the outgoing packet.

Only a small percentage of those packets are blocked, though, just
enough to get time-out on Internet access and annoy users. They're all
coming from the same box, and allowed by the same rule, so why only a few?

Laurent

Reply via email to