On 28/02, Darren Reed wrote: > km wrote: > >On 22/02, km wrote: > >> On 21/02, Steve Clark wrote: > >> > km wrote: > >> > >Hi, > >> > > > >> > >I am seeing some behaviour I dont think I should on AIX with ipfilter > >> > >4.1.13. > >> > > > >> > >All outgoing DNS requests are getting blocked and this is what ipmon > >shows: > >> > > > >> > >Feb 21 00:10:31 sebotp520-1 local0:warn|warning ipmon[254018]: 01:00: > >> > >00.000000 en5 @0:3 b xxx.xxx.100.234,34002 -> xxx.xxx.166.18,53 PR > >udp len > > >20 73 OUT > >> > > > >> > ># ipfstat -nio > >> > >@1 block out log all > >> > >@2 pass out quick on en5 proto udp from any to any keep state keep > >frags > >> > >@3 pass out quick on en5 proto udp from any to any port = domain keep > >> > >state keep frags > >> > > > >> > >Why is it blocking on a pass rule, because of missing state? > >> > >Allowing port 53 stateless lets the packets through. > >> > > > >> > >Looking at the ipfstat output shows alot of state (out) lost packets. > >> > >Should > >> > >this really be, I dont see that at my fbsd/ipfilfter at home? > >> > > > >> > >Some cut-n-paste info below. > >> > > > >> > >I will look into this deeper tomorrow evening but any pointers would > >be > >> > >appreciated. > >> > > > >> > >-km > >> > > > >[snip] > >> > > > >> > I ran into the same problem with icmp on 4.13 using freebsd - had to > >> > upgrade to 4.1.26 > >> > >> Yep, something is definitely wrong. The server crashed hard today as > >> well. Core dumped on floor :) > >> > >> I've gone over to pure stateless filtering now and will stress test it > >for a > >> couple of days. I actually dont have a need for keeping state for this > >> particular setup but it would be really nice to have a stable working > >> ipfilter on AIX in the future. > >> > >> -km > > > >I'm still getting kernel panics even without keeping state. Too bad, looks > >like I will have to go with a dedicated firewall instead :( > > > > Sorry that I can't help - I don't have any access to IBM hardware > that runs AIX. > > Darren
I guess you would need physical access to a pSeries for that. I imagine firewall testing would be pretty hard otherwise. Serial access to a machine in a co-lo maybe? That shouldnt be impossible if you see ipfilter on AIX a worthwile cause. What makes it impossible for me to get you a real pSeries is that im located in Sweden, I guess the freight on one would be a killer. Otherwise I occasionally get the opportunity to take old P hardware that my customers no longer need, without disks ofcourse. I wonder what it would take to make IBM donate a machine though. -km
