[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: port blocking? oracle problem? Other?
Whoa, when I do a ipfstat -s, what I get is thousands and thousands of:
192.168.1.18 -> 64.75.36.46 ttl 844551 pass 0x1006 pr 6 state 4/4
pkts 9 bytes 1820 80 -> 53747 f85dcf3f:5862bc8c
32120:32850
pass out keep state
pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in fxp1[0xe084c23c] out fxp0[0xe084c63c]
and similar. but if I grep it for maximum I get:
webwall# ipfstat -s | grep maximum
108864 maximum
webwall#
This is a firewall that has been up for... oh, about an hour --and is
blocking port 53 and 1521 again. I guess I will have to look at my rule
set. I thought I had to maintain state for all outgoing packets to have
it be quicker? Maybe this speed issue is not as important as the state
table?
--ja
On Fri, 2002-02-15 at 18:48, Matt Simonsen wrote:
> On Friday 15 February 2002 04:36 pm, john abbott wrote:
> > Is there anything I can do about this? More RAM, more HD more
> > processor? I think I only maintain state on outgoing stuff. Is there a
> > way I can tell if this is [about to] happening?
> >
>
> What do you get for ipfstat -s for "maximum"? if it's not 0, especially if
> it's growing regulrly (ours is 6 on a firewall that's been up 3 months) then
> your state table is filling up.
>
> Then it's determining why it's growing.... if the rules are correct (and I
> suspect they may not be, especially the pass out tcp/udp keep state) you'd
> need to recompile IPFilter with a higher max state option. Keeping state
> incorrectly can also cause the table to fill up.
>
> Matt
--
******************************************************
John Abbott
Webmaster
Information Systems Office
Minnesota Pollution Control Agency
520 North Lafayette Road
St. Paul, Minnesota 55155-4194
Phone (tues) 651-296-7928 (M,W-F) 507 664 0613
Fax: 651-282-5446
Email: john.abbott@pca.state.mn.us
********************************************************