[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Maximum states, log failures
From: "Beers, James W." <beersj () moravian ! edu>
Date: 2003-02-18 20:45:27
[Download RAW message or body]
I have been monitoring my new firewall and have been running through the
commands to check out performance. I rebooted the firewall and ran through
the commands this afternoon. Here is the output from uptime, ipfstat -s,
ipfstat, and ipnat -s.
3:19PM up 10 mins, 1 user, load averages: 0.01, 0.02, 0.00
IP states added:
17290 TCP
3592 UDP
305 ICMP
2222102 hits
34543 misses
44 maximum
0 no memory
4649 bkts in use
6230 active
3713 expired
11244 closed
IPv6 packets: in 0 out 0
input packets: blocked 15299 passed 1023810 nomatch 0 counted 0
short 0
output packets: blocked 45 passed 512370 nomatch 0 counted 0 short 0
input packets logged: blocked 13645 passed 27794
output packets logged: blocked 45 passed 7
packets logged: input 0 output 0
log failures: input 12667 output 24
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 27750 lost 44
packet state(out): kept 7 lost 0
ICMP replies: 0 TCP RSTs sent: 13
Invalid source(in): 0
Result cache hits(in): 29 (out): 0
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 13 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none
mapped in 387082 out 377191
added 38583 expired 24807
no memory 0 bad nat 12
inuse 13776
rules 119
wilds 0
I am concerned (confused) about the number of times maximum states have been
hit (in this case, 44) and the number of log failures that are occurring. I
have written to others whose machines are similarly configured and have
similar number of users, type of data streams, and their output shows that
maximum number of states has not occurred nor do they have any log failures.
When it comes to logging, I log the first packet of every accepted
connection and I log all packets from blocked connections (with several
exceptions - I do not log NETBIOS packets, Kazaa/file sharing requests
outbound only). I am using "flags S keep state" on tcp connections and
"keep state" on udp connections. I do allow tcp/udp high ports, the
exceptions being some trojan ports and some file sharing ports.
What am I missing?
----------------------------------------------------------------------------
--------------------------------------------------------------------------
Relevant information:
OS: FreeBSD 4.5
Ipfilter:
ipf: IP Filter: v3.4.31 (336)
Kernel: IP Filter: v3.4.31
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 0
There are 205 active rules in ipf.rules.
256MB RAM, PIII 1.0 Ghz, fxp0 and fxp1 are set to 100 MB FD. I ran netstat
-ni and have no collisions or errors on output.
I have modified the following:
ip_fil.h:
#define IPLLOGSIZE 65536
ip_nat.h: (note that LARGE_NAT is not defined - I redefined the four
options)
#undef LARGE_NAT /* define this if you're setting up a system to NAT
* LARGE numbers of networks/hosts - i.e. in the
* hundreds or thousands. In such a case, you
should
* also change the RDR_SIZE and NAT_SIZE below to
more
* appropriate sizes. The figures below were used
for
* a setup with 1000-2000 networks to NAT.
*/
#ifndef NAT_SIZE
# define NAT_SIZE 2047
#endif
#ifndef RDR_SIZE
# define RDR_SIZE 2047
#endif
#ifndef HOSTMAP_SIZE
# define HOSTMAP_SIZE 32767
#endif
#ifndef NAT_TABLE_SZ
# define NAT_TABLE_SZ 262143
#endif
ip_state.h:
#define IPSTATE_SIZE 104729
#define IPSTATE_MAX 73311 /* Maximum number of states held */
ip_state.c:
#define TCP_IDLE_TIMEOUT (2 * 3600)
#define TCP_MSL 60
fr_tcptimeout = 4 * TCP_MSL,
fr_tcpclosed = 60,
fr_tcphalfclosed = 2 * 2 * 75, /* 1 hour value is 300 */
fr_udptimeout = 90,
fr_icmptimeout = 35,
Output from vmstat -c 5 -w 5:
procs memory page disks faults cpu
r b w avm fre flt re pi po fr sr da0 da1 in sy cs us sy
id
0 0 0 6232 217052 6 0 0 0 5 0 0 0 1416 566 126 0 3
97
0 0 0 6232 217020 1 0 0 0 0 0 0 0 1330 425 98 0 2
98
0 0 0 6232 216988 1 0 0 0 0 0 0 0 1422 454 104 0 2
98
0 0 0 6232 216956 1 0 0 0 0 0 0 0 1547 416 96 0 3
97
0 0 0 4444 216908 1 0 0 0 2 0 1 0 1421 499 114 0 2
98
Output from sysctl -a | grep ipf:
net.inet.ipf.fr_flags: 0
net.inet.ipf.fr_pass: 513
net.inet.ipf.fr_active: 0
net.inet.ipf.fr_tcpidletimeout: 7200
net.inet.ipf.fr_tcpclosewait: 120
net.inet.ipf.fr_tcplastack: 120
net.inet.ipf.fr_tcptimeout: 240
net.inet.ipf.fr_tcpclosed: 60
net.inet.ipf.fr_tcphalfclosed: 300
net.inet.ipf.fr_udptimeout: 90
net.inet.ipf.fr_udpacktimeout: 24
net.inet.ipf.fr_icmptimeout: 35
net.inet.ipf.fr_icmpacktimeout: 12
net.inet.ipf.fr_defnatage: 1200
net.inet.ipf.fr_ipfrttl: 120
net.inet.ipf.ipl_unreach: 13
net.inet.ipf.fr_running: 1
net.inet.ipf.fr_authsize: 32
net.inet.ipf.fr_authused: 0
net.inet.ipf.fr_defaultauthage: 600
net.inet.ipf.fr_chksrc: 0
net.inet.ipf.ippr_ftp_pasvonly: 0
net.inet.ipf.fr_minttl: 3
net.inet.ipf.fr_minttllog: 1
------------------------------------------------
-jwb
Jim Beers
Networking Team Leader
Moravian College
610-861-1449
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic