On Fri, Jan 06, 2006 at 04:05:14PM +0200, Giorgos Keramidas wrote: > On 2006-01-06 00:17, Jacob S <[EMAIL PROTECTED]> wrote: > > Hello list, > > > > I'm having a problem setting up ipf on a FreeBSD server and can't > > figure out where I'm going wrong. I copied my ipf.rules file from > > another server I have where ipf is working great. But after I > > customized the rules to this server it is filling /var/log/messages > > with lines like the following: > > > > Jan 4 15:15:21 pikeman ipmon[222]: 15:15:21.465822 2x em0 @0:33 b > > 198.32.64.12,53 -> 65.19.150.68,62097 PR udp len 20 > > 314 IN Jan 4 15:15:21 pikeman ipmon[222]: 15:15:21.492578 em0 @0:33 b > > 216.200.145.35,25 -> 65.19.150.68,57210 PR tcp len 20 60 -AS IN Jan 4 > > 15:15:21 pikeman ipmon[222]: 15:15:21.505821 em0 @0:33 b > > 205.188.156.249,25 -> 65.19.150.68,57209 PR tcp len 20 48 -AS IN
<snip> > The blocked packets fall through the chain of rules and end up in rule > 0:33 (0 = incoming, 33 = block in log first quick on em0 all). > > > The lines scroll by faster than I can read them, if I tail the logfile. > > The blocked packets in this case are coming from standard ports to > > non-standard ports. Doing a reverse lookup on the ips, it would seem > > that my server has initiated the transfer and the other servers are > > simply replying. (I deduce that from the blocked ips because they belong > > to hostnames that I would not expect to be flooding my server. Namely, > > the first ip is for l.root-servers.net.) > > This seems to be an issue with the timeout of rule states. What do you > see if you run... > > $ sysctl -a | fgrep ipf. > > it should be something like: > > net.inet.ipf.fr_minttl: 4 > net.inet.ipf.fr_chksrc: 0 > net.inet.ipf.fr_defaultauthage: 600 > net.inet.ipf.fr_authused: 0 > net.inet.ipf.fr_authsize: 32 > net.inet.ipf.ipf_hostmap_sz: 2047 > net.inet.ipf.ipf_rdrrules_sz: 127 > net.inet.ipf.ipf_natrules_sz: 127 > net.inet.ipf.ipf_nattable_sz: 2047 > net.inet.ipf.fr_statemax: 4013 > net.inet.ipf.fr_statesize: 5737 > net.inet.ipf.fr_running: 1 > net.inet.ipf.fr_ipfrttl: 120 > net.inet.ipf.fr_defnatage: 1200 > net.inet.ipf.fr_icmptimeout: 120 > net.inet.ipf.fr_udpacktimeout: 24 > net.inet.ipf.fr_udptimeout: 240 > net.inet.ipf.fr_tcpclosed: 120 > net.inet.ipf.fr_tcptimeout: 480 > net.inet.ipf.fr_tcplastack: 480 > net.inet.ipf.fr_tcpclosewait: 480 > net.inet.ipf.fr_tcphalfclosed: 14400 > net.inet.ipf.fr_tcpidletimeout: 864000 > net.inet.ipf.fr_active: 0 > net.inet.ipf.fr_pass: 134217730 > net.inet.ipf.fr_flags: 0 sysctl -a | fgrep ipf shows this on the problem server: net.inet.ipf.fr_flags: 0 net.inet.ipf.fr_pass: 514 net.inet.ipf.fr_active: 0 net.inet.ipf.fr_tcpidletimeout: 864000 net.inet.ipf.fr_tcpclosewait: 480 net.inet.ipf.fr_tcplastack: 480 net.inet.ipf.fr_tcptimeout: 480 net.inet.ipf.fr_tcpclosed: 120 net.inet.ipf.fr_tcphalfclosed: 14400 net.inet.ipf.fr_udptimeout: 240 net.inet.ipf.fr_udpacktimeout: 24 net.inet.ipf.fr_icmptimeout: 120 net.inet.ipf.fr_icmpacktimeout: 12 net.inet.ipf.fr_defnatage: 1200 net.inet.ipf.fr_ipfrttl: 120 net.inet.ipf.ipl_unreach: 13 net.inet.ipf.fr_running: 1 net.inet.ipf.fr_authsize: 32 net.inet.ipf.fr_authused: 0 net.inet.ipf.fr_defaultauthage: 600 net.inet.ipf.fr_chksrc: 0 net.inet.ipf.ippr_ftp_pasvonly: 0 net.inet.ipf.fr_minttl: 3 net.inet.ipf.fr_minttllog: 1 net.link.ether.ipfw: 0 Incidentally, the server I copied my ipf.rules file from has an identical output from sysctl -a | fgrep ipf. Any more thoughts or tips? Thanks, Jacob -- GnuPG Key: 1024D/16377135 Random .signature #19: Computers are like air conditioners -- they stop working properly if you open Windows
signature.asc
Description: Digital signature
