[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: ipfilter AIX - blocking on pass out, keep state rule
From:       km <km () grogg ! org>
Date:       2008-03-03 22:54:59
Message-ID: 20080303225459.GA30532 () hp ! pi ! se
[Download RAW message or body]

On 28/02, Darren Reed wrote:
> km wrote:
> >On 22/02, km wrote:
> >> On 21/02, Steve Clark wrote:
> >> > km wrote:
> >> > >Hi,
> >> > >
> >> > >I am seeing some behaviour I dont think I should on AIX with ipfilter 
> >> > >4.1.13.
> >> > >
> >> > >All outgoing DNS requests are getting blocked and this is what ipmon 
> >shows:
> >> > >
> >> > >Feb 21 00:10:31 sebotp520-1 local0:warn|warning ipmon[254018]: 01:00: 
> >> > >00.000000 en5 @0:3 b xxx.xxx.100.234,34002 -> xxx.xxx.166.18,53 PR 
> >udp len > > >20 73 OUT
> >> > >
> >> > ># ipfstat -nio
> >> > >@1 block out log all
> >> > >@2 pass out quick on en5 proto udp from any to any keep state keep 
> >frags
> >> > >@3 pass out quick on en5 proto udp from any to any port = domain keep
> >> > >state keep frags
> >> > >
> >> > >Why is it blocking on a pass rule, because of missing state?
> >> > >Allowing port 53 stateless lets the packets through.
> >> > >
> >> > >Looking at the ipfstat output shows alot of state (out) lost packets. 
> >> > >Should
> >> > >this really be, I dont see that at my fbsd/ipfilfter at home?
> >> > >
> >> > >Some cut-n-paste info below.
> >> > >
> >> > >I will look into this deeper tomorrow evening but any pointers would 
> >be
> >> > >appreciated.
> >> > >
> >> > >-km
> >> > >
> >[snip]
> >> > >
> >> > I ran into the same problem with icmp on 4.13 using freebsd - had to 
> >> > upgrade to 4.1.26
> >> 
> >> Yep, something is definitely wrong. The server crashed hard today as
> >> well. Core dumped on floor :)
> >> 
> >> I've gone over to pure stateless filtering now and will stress test it 
> >for a
> >> couple of days. I actually dont have a need for keeping state for this
> >> particular setup but it would be really nice to have a stable working
> >> ipfilter on AIX in the future.
> >> 
> >> -km
> >
> >I'm still getting kernel panics even without keeping state. Too bad, looks
> >like I will have to go with a dedicated firewall instead :(
> >  
> 
> Sorry that I can't help - I don't have any access to IBM hardware
> that runs AIX.
> 
> Darren

I guess you would need physical access to a pSeries for that. I imagine
firewall testing would be pretty hard otherwise. Serial access to a machine
in a co-lo maybe? That shouldnt be impossible if you see ipfilter on AIX
a worthwile cause.

What makes it impossible for me to get you a real pSeries is that im located
in Sweden, I guess the freight on one would be a killer. Otherwise I
occasionally get the opportunity to take old P hardware that my customers
no longer need, without disks ofcourse.

I wonder what it would take to make IBM donate a machine though.

-km

[prev in list] [next in list] [prev in thread] [next in thread]