IPfilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ipfstat not clearing the state table - a similar problem?

from [Corey Johnston] [Permanent Link][Original]
To: "Simon A. Boggis" <s.a.boggis@qmul.ac.uk>, ipfilter@coombs.anu.edu.au, "Darren Reed" <darrenr@reed.wattle.id.au>
Subject: Re: ipfstat not clearing the state table - a similar problem?
From: "Corey Johnston" <coreyj@gmail.com>
Date: Mon, 18 Dec 2006 09:30:13 +1100
Delivered-to: sp-com-lists@consult.net
Delivered-to: ipfilter-list@securepoint.com
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=YRXRp6dQU7XJ83QJ3d1jhxISCiVYrwLtwtuaombW+ko7+bFpXe7DThSBmmd8biT2QjDW9Iw5I8Xnj0mHljUBz/VL3FfaV2UOm01QyEJ/ls4GnbM5hdI7Xq4ABlrvFP9E0zmcM8W8xOYZ+n4CeFxFlLK3FA3+Pff5xgnbiZV+YEc=
In-reply-to: <e2e114e10612171428x75977c8fk68eaac51ddec3970@mail.gmail.com>
References: <200608141903.k7EJ3AIa000853@firewall.reed.wattle.id.au> <457D59B3.6090505@reed.wattle.id.au> <457DFF26.10308@qmul.ac.uk> <457E048A.1000503@qmul.ac.uk> <e2e114e10612112004t645b1e29kaad3448d8da6b28b@mail.gmail.com> <457E7B89.5010906@reed.wattle.id.au> <45808871.2010603@qmul.ac.uk> <4580999B.2020302@reed.wattle.id.au> <45809D54.1010809@qmul.ac.uk> <e2e114e10612171428x75977c8fk68eaac51ddec3970@mail.gmail.com>
Sender: owner-ipfilter@coombs.anu.edu.au
I've installed the patched version of 4.1.15 on Solaris 10 (Sunfire X2100, 64-bit) and can now see the orphan entries listed in ipfstat -sl:

A few minutes after sending an HTTP request from the LAN to the internet via the IPFilter firewall, I've got 18 entries marked as active (ipfstat is), with all 18 showing-up as ORPHANS, similar to the two below:


IP states added:
        18 TCP
        60 UDP
        1 ICMP
        103931 hits
        6321 misses
        0 maximum
        0 no memory
        0 bkts in use
        18 active
        61 expired
        0 closed
State logging enabled

State table bucket statistics:
        0 in use       
        0.00% bucket usage
        0 minimal length
        0 maximal length
        0.000 average length

ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/9 bkt 23637
        tag 0 ttl 18446744073709551457
        2196 -> 80 6682a77d:fec38eaa 65535<<0:6432<<0
        cmsk 0000 smsk 0000 isc 0 s0 6682a628/fec38980
        FWD:ISN inc 0 sumd 0
        REV:ISN inc 0 sumd 0
        forward: pkts in 5 bytes in 880 pkts out 6 bytes out 928
        backward: pkts in 4 bytes in 1501 pkts out 4 bytes out 1501
        pass out quick keep frags keep state    IPv4
        pkt_flags & 0(10000) = 1000,            pkt_options & ffffffff = 0, ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
        is_flx 0x1 0x1 0x1 0x1
        interfaces: in X[nge0],X[bge1] out X[bge1],X[nge0]
        Sync status: not synchronized

ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/6 bkt 27030
        tag 0 ttl 18446744073709551392
        2193 -> 80 49fa0505:fcde15eb 65535<<0:6432<<0
        cmsk 0000 smsk 0000 isc 0 s0 49fa03b0/fcde10c2
        FWD:ISN inc 0 sumd 0
        REV:ISN inc 0 sumd 0
        forward: pkts in 5 bytes in 880 pkts out 6 bytes out 928
        backward: pkts in 3 bytes in 1461 pkts out 3 bytes out 1461
        pass out quick keep frags keep state    IPv4
        pkt_flags & 0(10000) = 1000,            pkt_options & ffffffff = 0, ffffffff = 0
        pkt_security & ffff = 0, pkt_auth & ffff = 0
        is_flx 0x1 0x1 0x1 0x1
        interfaces: in X[nge0],X[bge1] out X[bge1],X[nge0]
        Sync status: not synchronized

and

[user@myfirewall]$ sudo ipfstat -sl |grep "\-\>" |grep pass |grep ORPHAN

ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 9/11 bkt 8174
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/9 bkt 23637
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/6 bkt 27030
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 9/11 bkt 7632
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/9 bkt 28048
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 9/11 bkt 20848
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/9 bkt 7048
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/9 bkt 916
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/9 bkt 5179
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 9/11 bkt 23571
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 9/11 bkt 26565
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/9 bkt 15458
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 9/11 bkt 9908
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/9 bkt 26252
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/9 bkt 24369
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/9 bkt 9317
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/5 bkt 141
ORPHAN internal-IP -> mirror.internode.on.net pass 0x40004702 pr 6 state 0/9 bkt 16717

Please let me know if you need any more help; I've moved this firewall out of production back into test so I can change it quickly now.

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IPFilter on Solaris, a b
Next by Date:  Re: ipfstat not clearing the state table - a similar problem?, Corey Johnston
Previous by Thread:  Re: ipfstat not clearing the state table - a similar problem?, Simon A. Boggis
Next by Thread:  Re: ipfstat not clearing the state table - a similar problem?, Corey Johnston
Indexes:  [Date] [Thread] [Top] [All Lists]