ipfilter AIX - blocking on pass out, keep state rule
This is a discussion on ipfilter AIX - blocking on pass out, keep state rule within the IPFilter forums, part of the System Security and Security Related category; Hi, I am seeing some behaviour I dont think I should on AIX with ipfilter 4.1.13. All outgoing ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-21-2008
|
|||
|
|||
ipfilter AIX - blocking on pass out, keep state rule
Hi,
I am seeing some behaviour I dont think I should on AIX with ipfilter 4.1.13. All outgoing DNS requests are getting blocked and this is what ipmon shows: Feb 21 00:10:31 sebotp520-1 local0:warn|warning ipmon[254018]: 01:00: 00.000000 en5 @0:3 b xxx.xxx.100.234,34002 -> xxx.xxx.166.18,53 PR udp len 20 73 OUT # ipfstat -nio @1 block out log all @2 pass out quick on en5 proto udp from any to any keep state keep frags @3 pass out quick on en5 proto udp from any to any port = domain keep state keep frags Why is it blocking on a pass rule, because of missing state? Allowing port 53 stateless lets the packets through. Looking at the ipfstat output shows alot of state (out) lost packets. Should this really be, I dont see that at my fbsd/ipfilfter at home? Some cut-n-paste info below. I will look into this deeper tomorrow evening but any pointers would be appreciated. -km # ipf -V ipf: IP Filter: v4.1.13 (480) Kernel: IP Filter: v4.1.13 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 Feature mask: 0x87 # uname -a AIX sebotp520-1 3 5 0008FAE6D700 # oslevel -s 5300-06-03-0732 # ipfstat -sl .... sebotp520-1 -> xxx.xxx.166.18 pass 0x40004702 pr 17 state 0/0 bkt 85 tag 0 ttl 24 32872 -> 53 forward: pkts in 0 bytes in 0 pkts out 2 bytes out 125 backward: pkts in 2 bytes in 125 pkts out 0 bytes out 0 pass out quick keep frags keep state IPv4 pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0, ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 is_flx 0 0x1 0x1 0 interfaces: in -[],en5[en5] out en5[en5],-[] Sync status: not synchronized .... # ipfstat -s IP states added: 910 TCP 1199 UDP 8 ICMP 17498769 hits 9872 misses 0 maximum 0 no memory 79 bkts in use 1002 active 0 expired 11 closed State logging enabled State table bucket statistics: 79 in use 62.20% bucket usage 0 minimal length 14 maximal length 12.684 average length # ipfstat bad packets: in 0 out 0 input packets: blocked 5435 passed 11500856 nomatch 0 counted 0 short 0 output packets: blocked 5229 passed 6003187 nomatch 0 counted 0 short 0 input packets logged: blocked 4946 passed 0 output packets logged: blocked 5186 passed 0 packets logged: input 0 output 0 log failures: input 3705 output 4786 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out): kept 0 lost 0 not fragmented 0 packet state(in): kept 319 lost 592 packet state(out): kept 798 lost 9589 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 1852 (out): 178 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 IPF Ticks: 0 Packet log flags set: (0) none 
|
Linear Mode
