[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Keep alive and "-AP" flag.
From: Per-Olov =?iso-8859-1?Q?Sj=F6holm?= <news1 () posnet ! org>
Date: 2001-11-30 14:51:59
[Download RAW message or body]
Hi !
I saw a question about an ftp problem earlier in this group. The person
said he could not use the bandwidth in an efficient way. He was only
able to use a couple of hundred kb/sec.
The answer I saw in this group was that he had "keep state" on ftp but
not "S/SA" flag set and generated to many entries in the state table
which caused it to fill up...
I use as can be seen below "S/SA" flag for ftp and I have no bandwidth
problems. But I do have some problems with a couple of ftp sites that
sends keep alive "-AP" to me which is denied.
Any suggestions about what to do ?
Is the only way to remove "S/SA" and just keep "keep state" ? What about
the state table then ?
I have a filter like this...
iprb0 = EXTERNAL
elxl0 = INTERNAL
elx0 = DMZ
block in log quick all with
ipopts
#1#
block in log quick all with
short
#2#
block in log quick on elx0 all with
frag
#3#
block in log quick on iprb0 all with
frag
#3#
block in log quick proto tcp all flags
PUF/0xff
#4#
block in log quick on iprb0 all head
10
#5#
block in log quick from 0.0.0.0/8 to any group
10 #6#
block in log quick from 10.0.0.0/8 to any group
10 #6#
block in log quick from 127.0.0.0/8 to any group
10 #6#
block in log quick from 172.16.0.0/12 to any group
10 #6#
block in log quick from 192.168.0.0/16 to any group
10 #6#
block in log quick from 255.255.255.255/32 to any group
10 #6#
block in log quick from any to 192.168.0.255/32 group
10 #7#
block in log quick from any to 192.168.1.255/32 group
10 #7#
block in log quick from any to 192.168.0.0/32 group
10 #8#
block in log quick from any to 192.168.1.0/32 group
10 #8#
block in log quick from any to EXTERNAL-IP head 11 group
10 #9#
pass in quick proto icmp from any to any icmp-type echo keep state group
11 #10#
pass in quick proto icmp from any to any icmp-type timex keep state
group 11 #10#
pass in quick proto icmp from any to any icmp-type unreach keep state
group 11 #10#
pass in quick proto tcp from any to any port = 22 flags S/SA keep state
keep frags group 11 #11#
pass in quick proto tcp from any to any port = 21 flags S/SA keep state
keep frags group 11 #12#
pass in quick proto tcp from any to any port 60000 >< 60050 flags S/SA
keep state keep frags group 11 #13#
block return-rst in log quick proto tcp all group
11 #14#
block return-icmp-as-dest(port-unr) in log quick proto udp all group
11 #15#
block out log quick on iprb0 all head
20
#16#
block out log quick from 192.168.0.0/24 to any head 21 group
20 #17#
block out log quick from EXTERNAL-IP to any head 22 group
20 #18#
pass out quick proto tcp all flags S/SA keep state keep frags group
21 #19#
pass out quick proto icmp all keep state group
21 #20#
pass out quick proto udp all keep state group
21 #20#
pass out quick proto udp from any to 192.71.180.46/32 port = 53 keep
state group 22 #21#
pass out quick proto udp from any to 192.71.220.9/32 port = 53 keep
state group 22 #21#
pass out quick proto udp from any to 212.181.54.2/32 port = 53 keep
state group 22 #21#
pass out quick proto udp from any to 212.181.54.3/32 port = 53 keep
state group 22 #21#
pass out quick proto udp from any to 130.149.17.21/32 port = 123 keep
state group 22 #22#
pass out quick proto udp from any to 192.36.143.150/32 port = 123 keep
state group 22 #22#
pass out quick proto udp from any to 204.34.198.41/32 port = 123 keep
state group 22 #22#
pass out quick proto icmp all keep state group
22 #23#
pass out quick proto tcp from any to any port = 80 flags S/SA keep state
keep frags group 22 #24#
pass out quick proto tcp from any to any port = 443 flags S/SA keep
state keep frags group 22 #24#
pass out quick proto tcp from any to any port = 22 flags S/SA keep state
keep frags group 22 #24#
pass out quick proto tcp all flags R/SPUFR group
22 #25#
block in log quick on elx0 all head
30
#26#
block in log quick all group
30
#27#
block out log quick on elx0 all head
40
#28#
block out log quick all group
40
#29#
block in log quick on elxl0 all head
50
#30#
pass in quick all group
50
#31#
block out log quick on elxl0 all head
60
#32#
pass out quick all group
60
#33#
Thanks in advance
Regards Per-Olov Sjöholm
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic