km wrote:
On 22/02, km wrote:
> On 21/02, Steve Clark wrote:
> > km wrote:
> > >Hi,
> > >
> > >I am seeing some behaviour I dont think I should on AIX with ipfilter
> > >4.1.13.
> > >
> > >All outgoing DNS requests are getting blocked and this is what ipmon shows:
> > >
> > >Feb 21 00:10:31 sebotp520-1 local0:warn|warning ipmon[254018]: 01:00:
> > >00.000000 en5 @0:3 b xxx.xxx.100.234,34002 -> xxx.xxx.166.18,53 PR udp len
> > >20 73 OUT
> > >
> > ># ipfstat -nio
> > >@1 block out log all
> > >@2 pass out quick on en5 proto udp from any to any keep state keep frags
> > >@3 pass out quick on en5 proto udp from any to any port = domain keep
> > >state keep frags
> > >
> > >Why is it blocking on a pass rule, because of missing state?
> > >Allowing port 53 stateless lets the packets through.
> > >
> > >Looking at the ipfstat output shows alot of state (out) lost packets.
> > >Should
> > >this really be, I dont see that at my fbsd/ipfilfter at home?
> > >
> > >Some cut-n-paste info below.
> > >
> > >I will look into this deeper tomorrow evening but any pointers would be
> > >appreciated.
> > >
> > >-km
> > >
[snip]
> > >
> > I ran into the same problem with icmp on 4.13 using freebsd - had to
> > upgrade to 4.1.26
>
> Yep, something is definitely wrong. The server crashed hard today as
> well. Core dumped on floor :)
>
> I've gone over to pure stateless filtering now and will stress test it for a
> couple of days. I actually dont have a need for keeping state for this
> particular setup but it would be really nice to have a stable working
> ipfilter on AIX in the future.
>
> -km
I'm still getting kernel panics even without keeping state. Too bad, looks
like I will have to go with a dedicated firewall instead :(
Sorry that I can't help - I don't have any access to IBM hardware
that runs AIX.
Darren
