RE: Dropped Packets - Help please!
This is a discussion on RE: Dropped Packets - Help please! within the IPFilter forums, part of the System Security and Security Related category; We've got a few servers where we see similar behaviour (running 3.4.31 on solaris 9) Feb 1 ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-01-2006
|
|||
|
|||
RE: Dropped Packets - Help please!
We've got a few servers where we see similar behaviour (running 3.4.31 on solaris 9)
Feb 1 14:25:03 ns1.ht ipmon[92]: [ID 702911 local0.warning] 14:25:03.523152 hme0 @0:24 b xxx.xxx.xxx.248,35931 -> yyy.yyy.yyy.50,8443 PR tcp len 20 52 -AF IN Feb 1 14:25:05 ns1.ht ipmon[92]: [ID 702911 local0.warning] 14:25:05.562480 hme0 @0:24 b xxx.xxx.xxx.248,35931 -> yyy.yyy.yyy.50,8443 PR tcp len 20 191 -AFP IN Feb 1 14:25:12 ns1.ht ipmon[92]: [ID 702911 local0.warning] 14:25:12.602694 hme0 @0:24 b xxx.xxx.xxx.248,35931 -> yyy.yyy.yyy.50,8443 PR tcp len 20 191 -AFP IN Feb 1 14:25:26 ns1.ht ipmon[92]: [ID 702911 local0.warning] 14:25:26.685533 hme0 @0:24 b xxx.xxx.xxx.248,35931 -> yyy.yyy.yyy.50,8443 PR tcp len 20 191 -AFP IN Feb 1 14:25:54 ns1.ht ipmon[92]: [ID 702911 local0.warning] 14:25:54.842143 hme0 @0:24 b xxx.xxx.xxx.248,35931 -> yyy.yyy.yyy.50,8443 PR tcp len 20 191 -AFP IN Feb 1 14:25:58 ns1.ht ipmon[92]: [ID 702911 local0.warning] 14:25:58.584418 hme0 @0:24 b xxx.xxx.xxx.248,35931 -> yyy.yyy.yyy.50,8443 PR tcp len 20 40 -R IN Feb 1 14:26:36 ns1.ht ipmon[92]: [ID 702911 local0.warning] 14:26:36.705447 hme0 @0:24 b 211.126.199.141,35642 -> 64.59.168.50,49153 PR udp len 20 38 IN and with pass in quick proto tcp from xxx.xxx.xxx.0/23 to any port = 8443 flags S keep state keep frags in the rules file. state table stats on said box: IP states added: 20323 TCP 19414788 UDP 0 ICMP 45920495 hits 39668302 misses 237297 maximum 0 no memory 2930 bkts in use 4013 active 19411029 expired 20069 closed IP states added: 20323 TCP 19414788 UDP 0 ICMP 45920495 hits 39668302 misses 237297 maximum 0 no memory 2930 bkts in use 4013 active 19411029 expired 20069 closed thanks in advance, -----Original Message----- From: owner-ipfilter@coombs.anu.edu.au [mailto:owner-ipfilter@coombs.anu.edu.au]On Behalf Of Jim Sandoz Sent: January 27, 2006 8:37 AM To: Barb, Duane Cc: ipfilter@coombs.anu.edu.au Subject: Re: Dropped Packets - Help please! Barb, Duane wrote: > I'm getting dropped packets: > > [ID 702911 local0.warning] 08:45:14.146313 bge0 @0:2 b x.x.x.x,30404 -> > x.x.x.x,443 PR tcp len 20 40 -AR IN duane, this is a blocked packet, not a dropped packet. it is arriving at your external interface and being blocked. note, the line above indicates that the ACK+RST flags are set. my best guess is that this tuple was once in the state table, but the connection is already torn down, (i.e., ipf's state table has deleted the entry), and this packet is thus bouncing off of the firewall and being logged as a blocked packet. in other words, it is a packet not associated with a current state entry, and also not one that initiates a state entry by the following rule (since the flags don't match up): > pass in quick on bge0 proto tcp from any to x.y.z.122/32 port = 443 > flags S keep state keep frags and therefore it is blocked. seeing the above log entry, assuming you are not having other issues, is no cause for alarm. more than likely it is due to the interaction of the web server/client connection keepalive mechanisms and ipf's state table expiry times. jim 
|
Linear Mode
