Re: insight on S10 ipfilter patch 125014-02?

This is a discussion on Re: insight on S10 ipfilter patch 125014-02? within the IPFilter forums, part of the System Security and Security Related category; On Tue, 6 Mar 2007, Carson Gaspar wrote: > Date: Tue, 06 Mar 2007 08:54:39 -0800 > From: ...


Go Back   Usenet Forums > System Security and Security Related > IPFilter

Reload this Page Re: insight on S10 ipfilter patch 125014-02?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 03-06-2007
Jeff A. Earickson
 
Posts: n/a
Default Re: insight on S10 ipfilter patch 125014-02?
On Tue, 6 Mar 2007, Carson Gaspar wrote:

> Date: Tue, 06 Mar 2007 08:54:39 -0800
> From: Carson Gaspar <carson@taltos.org>
> To: Jeff A. Earickson <jaearick@colby.edu>
> Cc: ipfilter@coombs.anu.edu.au
> Subject: Re: insight on S10 ipfilter patch 125014-02?
>
> Jeff A. Earickson wrote:
>> Darren,
>>
>> If I change my port 25 rule from:
>>
>> pass in quick proto tcp from any to 137.146.28.72 port = 25 flags S keep
>> state keep frags
>> pass out quick proto tcp from 137.146.28.72 to any port = 25 flags S keep
>> state keep frags
>>
>> to:
>>
>> pass in quick proto tcp from any to 137.146.28.72 port = 25
>> pass out quick proto tcp from 137.146.28.72 to any port = 25
>>
>> Then all/most of my email traffic halts. I am using Sun multipathing,
>
> If you want stateless rules, then you need to allow reply packets, which you
> haven't done. Try the following (syntax from memory, so...):
>
> pass out quick proto tcp from 137.146.28.72 to any port = 25
> pass in quick proto tcp from any port = 25 to 137.146.28.72 port > 32767
> flags A/A
> pass in quick proto tcp from any to 137.146.28.72 port = 25
> pass out quick proto tcp from 137.146.28.72 port = 25 to any port > 1023
> flags A/A
>
> You'll note that the inbound rule is more restrictive with ports. You've
> said you're running Solaris, so the anonymous port range is 32768-65535
> (unless you've changed it). The Internet has a much broader range of
> anonymous ports (but always >= 1024, in my experience). Personally, I'd get
> rid of the outbound ACK rule port restriction entirely, unless you have
> naughty users running things on your mail server...
>
> --
> Carson

Carson,

Thank you, thank you. Your rules worked as-is and my delayed email started
moving. I had been using my stateful rules for a long time with one wire
just fine. With the addition of a second wire and IP-multipathing in an
active-passive failover mode, the wheels fell off. I ran snoop on both
interfaces and I could see a split of traffic between the wires, so the
second wire wasn't as silent as I would have expected. I figured that it
might have something to do with that, or kernel patch 118833-36, or mpathd
changes, or the ipfilter patch, or God know what.

So how come mpathd and keep state don't play together? Is this a known
issue?

Jeff Earickson
Colby College
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 10:19 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0