Re: ipfilter AIX - blocking on pass out, keep state rule

km wrote:
> On 22/02, km wrote:
> > On 21/02, Steve Clark wrote:
> > > km wrote:
> > > >Hi,
> > > >
> > > >I am seeing some behaviour I dont think I should on AIX with ipfilter
> > > >4.1.13.
> > > >
> > > >All outgoing DNS requests are getting blocked and this is what ipmon shows:
> > > >
> > > >Feb 21 00:10:31 sebotp520-1 local0:warn|warning ipmon[254018]: 01:00:
> > > >00.000000 en5 @0:3 b xxx.xxx.100.234,34002 -> xxx.xxx.166.18,53 PR udp len
> > > >20 73 OUT
> > > >
> > > ># ipfstat -nio
> > > >@1 block out log all
> > > >@2 pass out quick on en5 proto udp from any to any keep state keep frags
> > > >@3 pass out quick on en5 proto udp from any to any port = domain keep
> > > >state keep frags
> > > >
> > > >Why is it blocking on a pass rule, because of missing state?
> > > >Allowing port 53 stateless lets the packets through.
> > > >
> > > >Looking at the ipfstat output shows alot of state (out) lost packets.
> > > >Should
> > > >this really be, I dont see that at my fbsd/ipfilfter at home?
> > > >
> > > >Some cut-n-paste info below.
> > > >
> > > >I will look into this deeper tomorrow evening but any pointers would be
> > > >appreciated.
> > > >
> > > >-km
> > > >
> [snip]
> > > >
> > > I ran into the same problem with icmp on 4.13 using freebsd - had to
> > > upgrade to 4.1.26
> >
> > Yep, something is definitely wrong. The server crashed hard today as
> > well. Core dumped on floor :)
> >
> > I've gone over to pure stateless filtering now and will stress test it for a
> > couple of days. I actually dont have a need for keeping state for this
> > particular setup but it would be really nice to have a stable working
> > ipfilter on AIX in the future.
> >
> > -km
>
> I'm still getting kernel panics even without keeping state. Too bad, looks
> like I will have to go with a dedicated firewall instead :(
>

Sorry that I can't help - I don't have any access to IBM hardware
that runs AIX.

Darren