'RE: Second question.. "age" parameter?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    RE: Second question.. "age" parameter?
From:       "Olmsted, Brian" <Brian.Olmsted () allstream ! com>
Date:       2005-12-15 20:27:05
Message-ID: F0A5661C0654E141B2BA417705F2B27817DD5024 () TOREX006 ! att-intra ! com
[Download RAW message or body]



Seems there is a parsing issue with age x/y as it doesn't take the rule
unless the tokens age #/# are at the end of the rule (testing with ipf
4.1buffalo - prior to 4.1.10)

Example:

pass out quick on qfe0 proto udp from 10.207.7.18/32 to 10.207.7.5/32
port = 111 keep state  keep frags  group 102  age 14400/14400

but putting "age ..." between "state" and "keep" doesn't work as per
EBNF notation on the man page.  Also, the man page seems to indicate the
state-ops should be surrounded by parentheses "("



     keep = "keep" "state" [ "(" state-options ")" ] | "keep" "frags" .
     state-options = state-opts [ "," state-options ] .

     state-opts = "age" decnumber [ "/" decnumber ] | "strict" |
                  "no-icmp-err" | "limit" decnumber | "newisn" | "sync"
.


Anyway, it doesn't solve my problem with return packets being dropped
for connections to the RPC portmapper on our NFS server....

Dec 15 20:24:59 infov2 ipmon[149]: [ID 702911 local0.warning]
20:24:59.015232 qfe0 @101:49 b 10.207.7.5,111 -> 10.207.7.18,35313 PR
udp len 20 56 IN
Dec 15 20:25:14 infov2 ipmon[149]: [ID 702911 local0.warning]
20:25:14.020352 qfe0 @101:49 b 10.207.7.5,111 -> 10.207.7.18,35313 PR
udp len 20 56 IN
Dec 15 20:25:44 infov2 ipmon[149]: [ID 702911 local0.warning]
20:25:44.030306 qfe0 @101:49 b 10.207.7.5,111 -> 10.207.7.18,35313 PR
udp len 20 56 IN
Dec 15 20:25:59 infov2 ipmon[149]: [ID 702911 local0.warning]
20:25:59.021292 qfe0 @101:49 b 10.207.7.5,111 -> 10.207.7.18,35314 PR
udp len 20 56 IN
Dec 15 20:26:14 infov2 ipmon[149]: [ID 702911 local0.warning]
20:26:14.030226 qfe0 @101:49 b 10.207.7.5,111 -> 10.207.7.18,35314 PR
udp len 20 56 IN






-----Original Message-----
From: Darren Reed [mailto:darrenr@reed.wattle.id.au] 
Sent: Saturday, December 03, 2005 1:28 AM
To: Olmsted, Brian
Cc: ipfilter@coombs.anu.edu.au
Subject: Re: Second question.. "age" parameter?

> 
> Is that in seconds, milli-seconds, ticks, etc?

Good followup.  IPFilter "ticks".
2 ticks = 1 second.

Darren

> -----Original Message-----
> From: Darren Reed [mailto:avalon@caligula.anu.edu.au] 
> Sent: Thursday, December 01, 2005 1:01 AM
> To: ipfilter@rfnj.org
> Cc: Olmsted, Brian; Darren Reed; IPFilter
> Subject: Re: Second question.. "age" parameter?
> 
> > What do the numbers themselves stand for?  "age x/y" carries what
> meaning
> > for x and for y?
> 
> x = timeout set by packets going "forward" (i.e. initiating packets)
> y = timeout set by reply packets
> 
> Darren
> 
> 

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic