Hi Folks,
We have been running these particular pf firewalls since Xmas 2004 without problem except for the last month. During the last month we have been experiencing repeated failures where the running firewall would freeze with a kernel panic and need to be rebooted.
I am now using symon to monitor the machines and this shows no sudden increase
in the state table or anything else untoward. This probably means that what
ever happened happened so fast that it was all over before the reporting
interval :(
The machine is currently on 3.6 with all patches applied. We will move on to
3.7 asap.
What I have just established is that the latest failure coincided with the
start of an inbound scan (sample argus logs)
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.39.121.1027 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.58.204.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.39.122.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.58.204.1027 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.58.205.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.58.114.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.58.114.1027 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.66.65.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.80.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.125.1027 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.126.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.66.65.1027 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.126.1027 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.127.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.81.1027 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.67.4.1027 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.67.20.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.96.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.67.20.1027 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.142.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.142.1027 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.143.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.97.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.156.1026 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.143.1027 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.156.1027 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.66.96.1027 1
0 522 0 TIM
28 Jul 05 17:05:07 udp 218.92.13.149.32987 -> 130.216.46.157.1026 1
0 522 0 TIM
Most of these packets should have been dropped by the firewall and should not
have created state.
I am about to examine the argus logs from around the time of the previous
failures to see if this is just coincidence or not.
Any thought on what else we might do other than upgrade the OS (which we are
doing)?
Russell
