[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    NAT table trouble
From:       Scott Augustus <scott () visgen ! com>
Date:       2001-11-30 15:13:55
[Download RAW message or body]

Greetings all,
I'm currently having a lot of difficulty with NAT tables filling up and 
causing serious slow downs.  Clearing/flushing the tables tends to help 
though sometimes for only very short periods of time (we're talking a 
matter of minutes!) before they need cleared again. Obviously this is 
not ideal as it drops connections for users.  I do have a number of 
VPN's using isakmpd that connect us to multiple offices.  Wondering if 
anyone might have some insight as to a potential cause or some nifty 
means to help me determine a cause (tcpdump etc.)?  Or, is it possible 
that a bum rule in ipf could cause this?

I don't have a whole heck of a lot happenning with my ipnat rules, just 
one subnet and a few port mappings.

Thx!

Scott

Here's some vitals in case they're needed:
OpenBSD 2.6 (I know, I *should* upgrade ;-)
IP Filter: v3.3.16

# The rules
pass out quick on lo0
pass in quick on lo0

block in quick proto tcp all with short

block in quick on fxp1 all with opt lsrr
block in quick on fxp1 all with opt ssrr
 
block in log quick on fxp1 proto icmp from any to any icmp-type redir
block in log quick on fxp1 proto tcp/udp all with short
block in log quick on fxp1 from any to any with ipopts
block return-rst in log quick on fxp1 proto tcp from any to any port = 
auth flags S/SA
block in quick on fxp1 proto tcp from any to any flags FUP
block in quick on fxp1 proto tcp all flags SF/SFRA
block in quick on fxp1 proto tcp all flags /SFRA
block in quick on fxp1 proto tcp all flags F/SFRA
block in quick on fxp1 proto tcp all flags U/SFRAU
block in quick on fxp1 proto tcp all flags P
block in log quick on fxp0 proto tcp all flags /
 
block in log quick on fxp1 from 10.0.0.0/8 to any
block in log quick on fxp1 from 172.16.0.0/12 to any
block in log quick on fxp1 from 192.168.0.0/16 to any
block in log quick on fxp1 from 127.0.0.0/8 to any
block in log quick on fxp1 from 0.0.0.0/32 to any
block in log quick on fxp1 from 255.255.255.255/32 to any
 
block out quick on fxp1 from any to 10.0.0.0/8
block out quick on fxp1 from any to 172.16.0.0/12
block out quick on fxp1 from any to 192.168.0.0/16
block out quick on fxp1 from any to 127.0.0.1/8
 
#  Block all incoming outgoing netbios traffic. Don't log this as it is
#  so common.
#
block in quick on fxp1 proto udp from any to any port = netbios-ns
block out quick on fxp1 proto udp from any to any port = netbios-ns

# psssing in ISAKMP traffic from the VPN-security gateways
pass in quick on fxp1 proto udp from any to any port = 500
 
# Passing in encrypted traffic from VPN-security gateways
pass in quick on fxp1 proto esp from any to any
 
block return-rst in log quick on fxp1 proto tcp from any to any flags S/SA
 
block in log quick on fxp1 from any to any
 
pass out        quick on fxp1 proto tcp  from any to any flags S keep state
pass out        quick on fxp1 proto udp  from any to any keep state
pass out        quick on fxp1 proto icmp from any to any keep state

[prev in list] [next in list] [prev in thread] [next in thread]