[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Problem w/ (at least) DNS name resolution
From:       "Michael T. Davis" <DAVISM () ecr6 ! ohio-state ! edu>
Date:       2011-08-04 16:41:40
Message-ID: 4747_1312476461_4E3ACD2C_4747_8022_1_01O4GA0GU8L49EMITM () ecr6 ! ohio-state ! edu
[Download RAW message or body]

	After an extended period of time running a system under OpenBSD 2.8
and IPF v3.3.18, I now have a computer running NetBSD 5.1 release with
IPF v4.1.29.  It was great to just take my existing ruleset and drop it on
the "new" system, and it "just worked."  I am seeing a couple annoying issues,
though, which may be related.

	First, SSH connections to systems behind the firewall from outside
the LAN get dropped every two or three hours.  This is particularly the case
for SSH connections to the firewall, itself.  The only clue I get that I can
shortly expect a dropped connection to the firewall is that ipmon (-Dnps)
will sometimes log an entry for some form of traffic we're tracking wherein
the IP addresses are not resolved to host names.  If I attempt to reconnect
to the firewall right away, it seems to take longer than usual to establish
the connection, and any logged fireall traffic continues to lack host name
references.  Then in a couple minutes, the SSH connection is dropped again.
Ater another SSH connection to the firewall, it seems to operate normally for
a few hours, until the next such incident.

	What might be related is that we have a set of rules in place to
statefully maintain connections to our DNS servers, which sit upstream from
our LAN.  Despite this, the firewall will periodically log blocked UDP
packets to the DNS servers.  Is there a parameter I should consider adjusting
to increase the time UDP packets are considered part of an established
connection?  Perhaps the issue is potentially with all UDP packets "timing
out" too soon, and we're only seeing a problem with name resolution, since the
process is so tied up with Internet communications in general.

	FWIW, the system is configured as a firewall with two Intel NICs
plumbed to a bridge (no NAT or explicit IPv6).  An IP address is bound to the
"internal" NIC.

	I would welcome any guidance in tracking down these issues, and I'm
happy to provide more details, if necessary.

Regards,
Mike
-- 
         Michael T. Davis  (Mike)        | Manager for Networking, Admin.
    E-mail: davism@ecr6.ohio-state.edu   | & Research Computing: CBE/MSE
 -or- davism+@osu.edu, davis.157@osu.edu |   The Ohio State University
 http://www.ecr6.ohio-state.edu/~davism/ |   197 Watts, (614) 292-6928
              ** E-mail is the best way to contact me **
[prev in list] [next in list] [prev in thread] [next in thread]