'RE: return packets blocked - UDP with frags. help :)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    RE: return packets blocked - UDP with frags.   help :)
From:       "Olmsted, Brian" <Brian.Olmsted () allstream ! com>
Date:       2005-12-21 19:18:46
Message-ID: 90B9038D80988846AD139AA20BB9531E101E65 () TJ1EXB02 ! mtsallstream ! com
[Download RAW message or body]


Anybody have any insight into this and why I am seeing this constantly?


-----Original Message-----
From: Olmsted, Brian 
Sent: Friday, December 16, 2005 4:25 PM
To: ipfilter@coombs.anu.edu.au
Cc: Olmsted, Brian
Subject: return packets blocked - UDP with frags. help :)


Why are these return packets continuously blocked?


Dec 16 21:11:14 infov2 ipmon[149]: [ID 702911 local0.warning]
21:11:14.026689 qfe0 @101:49 b 10.207.7.5,111 -> 10.207.7.18,35957 PR
udp len 20 56 IN
Dec 16 21:11:44 infov2 ipmon[149]: [ID 702911 local0.warning]
21:11:44.036887 qfe0 @101:49 b 10.207.7.5,111 -> 10.207.7.18,35957 PR
udp len 20 56 IN


I'm trying to setup connectivity for NFS client (10.207.7.18) to talk to
NFS server (10.207.7.5).   This connection is to the portmapper on the
NFS server (port 111, udp).

RPC services on the NFS server...

root@infov2# rpcinfo -p 10.207.7.5 
   program vers proto   port  service
    100024    1   tcp   4047  status
    100024    1   udp   4047  status
    100011    1   udp   4049  rquotad
    100021    4   tcp   4045  nlockmgr
    100021    3   tcp   4045  nlockmgr
    100021    1   tcp   4045  nlockmgr
    100021    4   udp   4045  nlockmgr
    100021    3   udp   4045  nlockmgr
    100021    1   udp   4045  nlockmgr
    100005    3   tcp   4046  mountd
    100005    2   tcp   4046  mountd
    100005    1   tcp   4046  mountd
    100005    3   udp   4046  mountd
    100005    2   udp   4046  mountd
    100005    1   udp   4046  mountd
    100003    4   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   udp   2049  nfs
    100003    2   udp   2049  nfs
    100000    2   tcp    111  rpcbind
    100000    2   udp    111  rpcbind
root@infov2#


Rules below...

Is there something with the whole UDP fragmented packets in the rules?

I'm not sure of the exact PROPER usage of "keep frags", "with frags" and
the whole "age x/y" statements.

Do I need to make my state table larger or increase my UDP timeouts
globally, etc?


root@infov2# ipfstat -i -o -h -n | egrep '10\.207\.7\.5'
1 @45 pass out quick on qfe0 proto tcp from 10.207.7.18/32 to
10.207.7.5/32 port = sunrpc flags S/FSRPAU keep state keep frags group
102
4 @46 pass out quick on qfe0 proto udp from 10.207.7.18/32 to
10.207.7.5/32 port = sunrpc keep state keep frags group 102
0 @47 pass out quick on qfe0 proto tcp from 10.207.7.18/32 to
10.207.7.5/32 port = nfsd flags S/FSRPAU keep state keep frags group 102
172 @48 pass out quick on qfe0 proto udp from 10.207.7.18/32 to
10.207.7.5/32 port = nfsd keep state keep frags group 102
0 @49 pass out quick on qfe0 proto tcp from 10.207.7.18/32 to
10.207.7.5/32 port 4044 >< 4048 flags S/FSRPAU keep state keep frags
group 102
2 @50 pass out quick on qfe0 proto udp from 10.207.7.18/32 to
10.207.7.5/32 port 4044 >< 4048 keep state keep frags group 102
4 @51 pass out quick on qfe0 proto udp from 10.207.7.18/32 to
10.207.7.5/32 port = 4049 keep state keep frags group 102
2982 @52 pass out quick on qfe0 proto udp from 10.207.7.18/32 to
10.207.7.5/32 with frag group 102
0 @36 pass in quick on qfe0 proto tcp from 10.207.7.5/32 to
10.207.7.18/32 port = sunrpc flags S/FSRPAU keep state keep frags group
101
0 @37 pass in quick on qfe0 proto udp from 10.207.7.5/32 to
10.207.7.18/32 port = sunrpc keep state keep frags group 101
0 @38 pass in quick on qfe0 proto tcp from 10.207.7.5/32 to
10.207.7.18/32 port = nfsd flags S/FSRPAU keep state keep frags group
101
0 @39 pass in quick on qfe0 proto udp from 10.207.7.5/32 to
10.207.7.18/32 port = nfsd keep state keep frags group 101
0 @40 pass in quick on qfe0 proto tcp from 10.207.7.5/32 to
10.207.7.18/32 port 4044 >< 4048 flags S/FSRPAU keep state keep frags
group 101
0 @41 pass in quick on qfe0 proto udp from 10.207.7.5/32 to
10.207.7.18/32 port 4044 >< 4048 keep state keep frags group 101
0 @42 pass in quick on qfe0 proto udp from 10.207.7.5/32 to
10.207.7.18/32 port = 4049 keep state keep frags group 101
211 @43 pass in quick on qfe0 proto udp from 10.207.7.5/32 to
10.207.7.18/32 with frag group 101
root@infov2#

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic