issue with IPF firewall state tables
Back Story:
Old Server (X32 system, probably FreeBSD 4.3-ish)=20
New Server (Dual core, X64 with plenty of RAM) running 8.1-RELEASE
New Server was put in production last night as a core router, with=20
the same rc.conf, firewall rule set and config from the old router=20
that has been working for years.
At around 12 Lunchtime we had reports of no internet connectivity,=20
I've jumped onto the router and seen that it is blocking a whole=20
heap of internal to external DNS server traffic, along with other=20
would-be allowed traffic.
I promptly flushed the firewall ruleset with "ipf -Fa", and noted=20
that the rules did clear - Issue still existing.
I re-loaded the rule set, no change.
Upon restart, the router began to behave itself again...
I have been using "ipfstat -ts | grep active" to get a count of=20
state entries, and comparing to the 4013 default.
We are sitting on around ~2000 state entries. I am aware I can=20
flush the state table, but until the router breaks itself again,=20
I cannot clear it.
Does this sound like a full state table? Am I using the best=20
method to check? Is there any form of notification that this=20
is happening anywhere?
--=20
Murray Taylor
Bytecraft Systems
Special Projects Engineer
P: +61 3 8710 0600
D: +61 3 9238 5168
F: +61 3 9238 5140
=20|_|0|_| "Absence of evidence
=20|_|_|0| is not evidence of absence"
=20|0|0|0| Carl Sagan
=20
---------------------------------------------------------------
The information transmitted in this e-mail is for the exclusive
use of the intended addressee and may contain confidential
and/or privileged material. Any review, re-transmission,
dissemination or other use of it, or the taking of any action
in reliance upon this information by persons and/or entities
other than the intended recipient is prohibited. If you
received this in error, please inform the sender and/or
addressee immediately and delete the material.=20
E-mails may not be secure, may contain computer viruses and
may be corrupted in transmission. Please carefully check this
e-mail (and any attachment) accordingly. No warranties are
given and no liability is accepted for any loss or damage
caused by such matters.
---------------------------------------------------------------
### This e-mail message has been scanned for Viruses by Bytecraft ###
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"