On 22/02, km wrote: > On 21/02, Steve Clark wrote: > > km wrote: > > >Hi, > > > > > >I am seeing some behaviour I dont think I should on AIX with ipfilter > > >4.1.13. > > > > > >All outgoing DNS requests are getting blocked and this is what ipmon shows: > > > > > >Feb 21 00:10:31 sebotp520-1 local0:warn|warning ipmon[254018]: 01:00: > > >00.000000 en5 @0:3 b xxx.xxx.100.234,34002 -> xxx.xxx.166.18,53 PR udp len > > >20 73 OUT > > > > > ># ipfstat -nio > > >@1 block out log all > > >@2 pass out quick on en5 proto udp from any to any keep state keep frags > > >@3 pass out quick on en5 proto udp from any to any port = domain keep > > >state keep frags > > > > > >Why is it blocking on a pass rule, because of missing state? > > >Allowing port 53 stateless lets the packets through. > > > > > >Looking at the ipfstat output shows alot of state (out) lost packets. > > >Should > > >this really be, I dont see that at my fbsd/ipfilfter at home? > > > > > >Some cut-n-paste info below. > > > > > >I will look into this deeper tomorrow evening but any pointers would be > > >appreciated. > > > > > >-km > > > [snip] > > > > > I ran into the same problem with icmp on 4.13 using freebsd - had to > > upgrade to 4.1.26 > > Yep, something is definitely wrong. The server crashed hard today as > well. Core dumped on floor :) > > I've gone over to pure stateless filtering now and will stress test it for a > couple of days. I actually dont have a need for keeping state for this > particular setup but it would be really nice to have a stable working > ipfilter on AIX in the future. > > -km
I'm still getting kernel panics even without keeping state. Too bad, looks like I will have to go with a dedicated firewall instead :( -km
