My Inheritance: Solaris 9, ipfilter 3.4.29 x 3 systems, crashes

On Mon, 31 Mar 2008, Rugen, Len wrote:

> I inherited a group of Solaris systems. They have been having some
> problems since before I was assimilated that I think I've tracked down
> to ipfilter.

I'm new to this list, and this is like the second submission I got in
like several weeks. Is the volume of this list is really that low or
are responses encouraged to reply straight to the original poster?

> The problem first described was the Veritas Vxsvc process would become
> unresponsive and unkillable until reboot. I finally discovered that
> this didn't happen until ipf rules were changed. The prior technique
> was ipfboot stop and ipfboot start. I changed this to ipfboot reload
> and it is much better. Before it died every time, if not immediately,
> after a few days, now it has just failed once after many changes.

This is not surprising as a stop/start will probably dump your state
table leaving existing connections orphaned.

> It looks like ipf was downloaded and installed as a precompiled package.
> Any suggestions / opinions on upgrading ipfilter on these systems? I'm
> currently reviewing the rules and to me, they are UGLY. Could cleaner
> rules help? They have very few KEEP STATE, maybe 500 entries and no
> grouping. From ipfstat, particularly for the pass out rules, few if any
> have count other than 0.

I would think that no set of rules, no matter how ugly, should ever crash
the firewall/kernel and cause what seems to be a data alignment error
(i.e. accessing word values on non-word boundaries). This looks like
a bug in IPF, and more knowledgable people could probably guess which bug.

I would hazard a guess that an upgrade to the latest IPF might be in order.

But straightening out your rules is a good thing to do, regardless of whether
it fixes your bug.

Joseph Tam <tam@math.ubc.ca>