return packets blocked - UDP with frags. help :)
This is a discussion on return packets blocked - UDP with frags. help :) within the IPFilter forums, part of the System Security and Security Related category; Why are these return packets continuously blocked? Dec 16 21:11:14 infov2 ipmon[149]: [ID 702911 local0.warning] 21:...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-16-2005
|
|||
|
|||
return packets blocked - UDP with frags. help :)
Why are these return packets continuously blocked? Dec 16 21:11:14 infov2 ipmon[149]: [ID 702911 local0.warning] 21:11:14.026689 qfe0 @101:49 b 10.207.7.5,111 -> 10.207.7.18,35957 PR udp len 20 56 IN Dec 16 21:11:44 infov2 ipmon[149]: [ID 702911 local0.warning] 21:11:44.036887 qfe0 @101:49 b 10.207.7.5,111 -> 10.207.7.18,35957 PR udp len 20 56 IN I'm trying to setup connectivity for NFS client (10.207.7.18) to talk to NFS server (10.207.7.5). This connection is to the portmapper on the NFS server (port 111, udp). RPC services on the NFS server... root@infov2# rpcinfo -p 10.207.7.5 program vers proto port service 100024 1 tcp 4047 status 100024 1 udp 4047 status 100011 1 udp 4049 rquotad 100021 4 tcp 4045 nlockmgr 100021 3 tcp 4045 nlockmgr 100021 1 tcp 4045 nlockmgr 100021 4 udp 4045 nlockmgr 100021 3 udp 4045 nlockmgr 100021 1 udp 4045 nlockmgr 100005 3 tcp 4046 mountd 100005 2 tcp 4046 mountd 100005 1 tcp 4046 mountd 100005 3 udp 4046 mountd 100005 2 udp 4046 mountd 100005 1 udp 4046 mountd 100003 4 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 udp 2049 nfs 100003 2 udp 2049 nfs 100000 2 tcp 111 rpcbind 100000 2 udp 111 rpcbind root@infov2# Rules below... Is there something with the whole UDP fragmented packets in the rules? I'm not sure of the exact PROPER usage of "keep frags", "with frags" and the whole "age x/y" statements. Do I need to make my state table larger or increase my UDP timeouts globally, etc? root@infov2# ipfstat -i -o -h -n | egrep '10\.207\.7\.5' 1 @45 pass out quick on qfe0 proto tcp from 10.207.7.18/32 to 10.207.7.5/32 port = sunrpc flags S/FSRPAU keep state keep frags group 102 4 @46 pass out quick on qfe0 proto udp from 10.207.7.18/32 to 10.207.7.5/32 port = sunrpc keep state keep frags group 102 0 @47 pass out quick on qfe0 proto tcp from 10.207.7.18/32 to 10.207.7.5/32 port = nfsd flags S/FSRPAU keep state keep frags group 102 172 @48 pass out quick on qfe0 proto udp from 10.207.7.18/32 to 10.207.7.5/32 port = nfsd keep state keep frags group 102 0 @49 pass out quick on qfe0 proto tcp from 10.207.7.18/32 to 10.207.7.5/32 port 4044 >< 4048 flags S/FSRPAU keep state keep frags group 102 2 @50 pass out quick on qfe0 proto udp from 10.207.7.18/32 to 10.207.7.5/32 port 4044 >< 4048 keep state keep frags group 102 4 @51 pass out quick on qfe0 proto udp from 10.207.7.18/32 to 10.207.7.5/32 port = 4049 keep state keep frags group 102 2982 @52 pass out quick on qfe0 proto udp from 10.207.7.18/32 to 10.207.7.5/32 with frag group 102 0 @36 pass in quick on qfe0 proto tcp from 10.207.7.5/32 to 10.207.7.18/32 port = sunrpc flags S/FSRPAU keep state keep frags group 101 0 @37 pass in quick on qfe0 proto udp from 10.207.7.5/32 to 10.207.7.18/32 port = sunrpc keep state keep frags group 101 0 @38 pass in quick on qfe0 proto tcp from 10.207.7.5/32 to 10.207.7.18/32 port = nfsd flags S/FSRPAU keep state keep frags group 101 0 @39 pass in quick on qfe0 proto udp from 10.207.7.5/32 to 10.207.7.18/32 port = nfsd keep state keep frags group 101 0 @40 pass in quick on qfe0 proto tcp from 10.207.7.5/32 to 10.207.7.18/32 port 4044 >< 4048 flags S/FSRPAU keep state keep frags group 101 0 @41 pass in quick on qfe0 proto udp from 10.207.7.5/32 to 10.207.7.18/32 port 4044 >< 4048 keep state keep frags group 101 0 @42 pass in quick on qfe0 proto udp from 10.207.7.5/32 to 10.207.7.18/32 port = 4049 keep state keep frags group 101 211 @43 pass in quick on qfe0 proto udp from 10.207.7.5/32 to 10.207.7.18/32 with frag group 101 root@infov2# 
|
Linear Mode
