On 21/02, Steve Clark wrote: > km wrote: > >Hi, > > > >I am seeing some behaviour I dont think I should on AIX with ipfilter > >4.1.13. > > > >All outgoing DNS requests are getting blocked and this is what ipmon shows: > > > >Feb 21 00:10:31 sebotp520-1 local0:warn|warning ipmon[254018]: 01:00: > >00.000000 en5 @0:3 b xxx.xxx.100.234,34002 -> xxx.xxx.166.18,53 PR udp len > >20 73 OUT > > > ># ipfstat -nio > >@1 block out log all > >@2 pass out quick on en5 proto udp from any to any keep state keep frags > >@3 pass out quick on en5 proto udp from any to any port = domain keep > >state keep frags > > > >Why is it blocking on a pass rule, because of missing state? > >Allowing port 53 stateless lets the packets through. > > > >Looking at the ipfstat output shows alot of state (out) lost packets. > >Should > >this really be, I dont see that at my fbsd/ipfilfter at home? > > > >Some cut-n-paste info below. > > > >I will look into this deeper tomorrow evening but any pointers would be > >appreciated. > > > >-km > > > > > > > ># ipf -V > >ipf: IP Filter: v4.1.13 (480) > >Kernel: IP Filter: v4.1.13 > >Running: yes > >Log Flags: 0 = none set > >Default: pass all, Logging: available > >Active list: 0 > >Feature mask: 0x87 > > > ># uname -a > >AIX sebotp520-1 3 5 0008FAE6D700 > > > ># oslevel -s > >5300-06-03-0732 > > > ># ipfstat -sl > >... > >sebotp520-1 -> xxx.xxx.166.18 pass 0x40004702 pr 17 state 0/0 bkt 85 > > tag 0 ttl 24 32872 -> 53 > > forward: pkts in 0 bytes in 0 pkts out 2 bytes out 125 > > backward: pkts in 2 bytes in 125 pkts out 0 bytes out 0 > > pass out quick keep frags keep state IPv4 > > pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, > > ffffffff = 0 > > pkt_security & ffff = 0, pkt_auth & ffff = 0 > > is_flx 0 0x1 0x1 0 > > interfaces: in -[],en5[en5] out en5[en5],-[] > > Sync status: not synchronized > >... > > > ># ipfstat -s > >IP states added: > > 910 TCP > > 1199 UDP > > 8 ICMP > > 17498769 hits > > 9872 misses > > 0 maximum > > 0 no memory > > 79 bkts in use > > 1002 active > > 0 expired > > 11 closed > >State logging enabled > > > >State table bucket statistics: > > 79 in use > > 62.20% bucket usage > > 0 minimal length > > 14 maximal length > > 12.684 average length > > > ># ipfstat > >bad packets: in 0 out 0 > > input packets: blocked 5435 passed 11500856 nomatch 0 counted 0 > > short 0 > >output packets: blocked 5229 passed 6003187 nomatch 0 counted 0 > >short 0 > > input packets logged: blocked 4946 passed 0 > >output packets logged: blocked 5186 passed 0 > > packets logged: input 0 output 0 > > log failures: input 3705 output 4786 > >fragment state(in): kept 0 lost 0 not fragmented 0 > >fragment state(out): kept 0 lost 0 not fragmented 0 > >packet state(in): kept 319 lost 592 > >packet state(out): kept 798 lost 9589 > >ICMP replies: 0 TCP RSTs sent: 0 > >Invalid source(in): 0 > >Result cache hits(in): 1852 (out): 178 > >IN Pullups succeeded: 0 failed: 0 > >OUT Pullups succeeded: 0 failed: 0 > >Fastroute successes: 0 failures: 0 > >TCP cksum fails(in): 0 (out): 0 > >IPF Ticks: 0 > >Packet log flags set: (0) > > none > > > > > I ran into the same problem with icmp on 4.13 using freebsd - had to > upgrade to 4.1.26
Yep, something is definitely wrong. The server crashed hard today as well. Core dumped on floor :) I've gone over to pure stateless filtering now and will stress test it for a couple of days. I actually dont have a need for keeping state for this particular setup but it would be really nice to have a stable working ipfilter on AIX in the future. -km
