Subject: Re: Problems with stateful filtering in 4.1.22
To: None <current-users@netbsd.org>
From: Martti Kuparinen <martti.kuparinen@iki.fi>
List: current-users
Date: 05/23/2007 09:29:33
FYI: I just sent this to the ipfilter list

I'm still having problems with stateful filtering, even with 4.1.22 :-(

Martti


-------- Original Message --------
Darren Reed wrote:

> I think the first thing to try is to also record the state log data...so look
>  at adding "-a" to the ipmon command line.  This will help you determine if
> the packets above are just arriving "late" or if they're not being matched up
> correctly.

Still same problems with the latest NetBSD 4.0_BETA2 with IPF 4.1.22. And this
is very easy to trigger...


p130:~> date | mail -s TEST my-netbsd-address-here

ROOT p130:~> ipfstat -t
Source IP             Destination IP         ST   PR   #pkts    #bytes       ttl
xxx.xxx.xxx.130,65163 204.152.190.11,25     A/7  tcp       7       493      3:58

ROOT p130:~> ipfstat -s
IP states added:
         40 TCP
         3563 UDP
         0 ICMP
         30072 hits
         400935 misses
         0 bucket full
         0 maximum rule references
         0 maximum
         0 no memory
         6 bkts in use
         6 active
         3562 expired
         35 closed
State logging enabled

State table bucket statistics:
         6 in use
         0.10% bucket usage
         0 minimal length
         1 maximal length
         1.000 average length

TCP Entries per state
      0     1     2     3     4     5     6     7     8     9    10    11
      0     0     0     0     0     0     0     0     0     0     5     0


p130:~> tail -f /var/log/messages | grep 'ipmon.*smtp'
May 23 09:19:11 p130 ipmon[3816]: 09:19:11.488025 STATE:NEW
p130.mydomain.com[xxx.xxx.xxx.130],65163 -> mail.netbsd.org[204.152.190.11],smtp
PR tcp
May 23 09:19:14 p130 ipmon[3816]: 09:19:14.357273 bnx0 @0:37 b
mail.netbsd.org[204.152.190.11],smtp -> p130.mydomain.com[xxx.xxx.xxx.130],65163
PR tcp len 20 52 -A IN
May 23 09:19:16 p130 ipmon[3816]: 09:19:16.361533 bnx0 @0:37 b
mail.netbsd.org[204.152.190.11],smtp -> p130.mydomain.com[xxx.xxx.xxx.130],65163
PR tcp len 20 52 -A IN
May 23 09:19:19 p130 ipmon[3816]: 09:19:19.373691 bnx0 @0:37 b
mail.netbsd.org[204.152.190.11],smtp -> p130.mydomain.com[xxx.xxx.xxx.130],65163
PR tcp len 20 52 -A IN
May 23 09:19:25 p130 ipmon[3816]: 09:19:25.398174 bnx0 @0:37 b
mail.netbsd.org[204.152.190.11],smtp -> p130.mydomain.com[xxx.xxx.xxx.130],65163
PR tcp len 20 52 -A IN
May 23 09:19:38 p130 ipmon[3816]: 09:19:37.447426 bnx0 @0:37 b
mail.netbsd.org[204.152.190.11],smtp -> p130.mydomain.com[xxx.xxx.xxx.130],65163
PR tcp len 20 52 -A IN
May 23 09:21:20 p130 ipmon[3816]: 09:21:20.078742 STATE:CLOSE
p130.mydomain.com[xxx.xxx.xxx.130],65163 -> mail.netbsd.org[204.152.190.11],smtp
PR tcp Forward: Pkts in 0 Bytes in 0 Pkts out 13 Bytes out 805 Backward: Pkts in
8 Bytes in 702 Pkts out 0 Bytes out 0


> Check the changes to the timeouts in ip_state.c

I'll do that later.

Martti