Re: insight on S10 ipfilter patch 125014-02?

Tue, 06 Mar 2007 09:49:05 -0800 

On Tue, 6 Mar 2007, Carson Gaspar wrote:


Date: Tue, 06 Mar 2007 08:54:39 -0800
From: Carson Gaspar <[EMAIL PROTECTED]>
To: Jeff A. Earickson <[EMAIL PROTECTED]>
Cc: [email protected]
Subject: Re: insight on S10 ipfilter patch 125014-02?

Jeff A. Earickson wrote:

Darren,

If I change my port 25 rule from:
pass in quick proto tcp from any to 137.146.28.72 port = 25 flags S keep state keep frags pass out quick proto tcp from 137.146.28.72 to any port = 25 flags S keep state keep frags 

to:

pass in  quick proto tcp from any to 137.146.28.72 port = 25
pass out quick proto tcp from 137.146.28.72 to any port = 25

Then all/most of my email traffic halts.  I am using Sun multipathing,
If you want stateless rules, then you need to allow reply packets, which you haven't done. Try the following (syntax from memory, so...): 

pass out quick proto tcp from 137.146.28.72 to any port = 25
pass in quick proto tcp from any port = 25 to 137.146.28.72 port > 32767 flags A/A 
pass in  quick proto tcp from any to 137.146.28.72 port = 25
pass out quick proto tcp from 137.146.28.72 port = 25 to any port > 1023 flags A/A
You'll note that the inbound rule is more restrictive with ports. You've said you're running Solaris, so the anonymous port range is 32768-65535 (unless you've changed it). The Internet has a much broader range of anonymous ports (but always >= 1024, in my experience). Personally, I'd get rid of the outbound ACK rule port restriction entirely, unless you have naughty users running things on your mail server... 

--
Carson


Carson,

Thank you, thank you.  Your rules worked as-is and my delayed email started
moving.  I had been using my stateful rules for a long time with one wire
just fine.  With the addition of a second wire and IP-multipathing in an
active-passive failover mode, the wheels fell off.  I ran snoop on both
interfaces and I could see a split of traffic between the wires, so the
second wire wasn't as silent as I would have expected.  I figured that it
might have something to do with that, or kernel patch 118833-36, or mpathd
changes, or the ipfilter patch, or God know what.
So how come mpathd and keep state don't play together? Is this a known issue? 

Jeff Earickson
Colby College

Reply via email to