Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: ipfilter blocking ip fragments
Operating Systems Solaris ipfilter blocking ip fragments Post 302479745 by ilikecows on Sunday 12th of December 2010 09:34:08 PM
Old 12-12-2010
ipfilter blocking ip fragments
For some reason ipfilter is blocking inbound fragmented ip packets (the packets are larger than the interface's MTU) that are encapsulating UDP segments. The connection works, so I know ipfilter is letting some traffic through, it is just a lot slower than it should be.

Rules that allow the traffic:
Code:
pass in quick proto udp from pool/12 to any keep state
pass in quick proto tcp from pool/12 to any keep state

Rule ipmon reports as blocking the traffic (bottom line in ipf.conf):
Code:
block in log all

Sample log entries (hostname and IPs substituted for security reasons):
Code:
Dec   9 12:31:54 hostname ipmon[14093]: [ID 123456 site.warning] 12:31:54.543987 skge0 @0:39 b 127.0.0.1 -> 127.0.0.2 PR udp len 20 (1500) (frag 12001:1480@1480+-) IN
Dec   9 12:31:54 hostname ipmon[14093]: [ID 123456 site.warning] 12:31:54.544011 skge0 @0:39 b 127.0.0.1 -> 127.0.0.2 PR udp len 20 (1500) (frag 12001:1480@2960+-) IN

I should also add that when I turn ipfilter off, the connections performance improves drastically. In the listening services log, I see a lot of NACKs sent back to the sender with the firewall on, but hardly any with it off.

Any ideas?
Last edited by ilikecows; 12-12-2010 at 11:46 PM.. Reason: Added info
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

fragments in Solaris 8

When discussing inodes and data blocks, I know Solaris creates these data blocks with a total size of 8192b, divided into eight 1024b "fragments." It stores data in "contiguous" fragments and solaris doesn't allow a file to use portions of two different fragments. If the file size permits, then the... (4 Replies)
Discussion started by: manderson19
4 Replies

2. HP-UX

ipfilter hpux11.11

how can I create a rule that will allow my machine to FTP to itself, but not allow other machines to FTP to it.. I know this sounds weird but this how they want it so they can test some application functionality that uses ftp. (2 Replies)
Discussion started by: csaunders
2 Replies

3. Solaris

ipfilter solaris express

Hello, | am trying to setup ipfilter on solaris express snv_91 but I don't seem to have the following file available. /etc/ipf/pfil.ap Is this an older way of configuring the interface?, I have all the packages installed. Thanks, (1 Reply)
Discussion started by: Actuator
1 Replies

4. Cybersecurity

questions about ipfilter

Dears, i am a new user for using ipfilter in solaris 10 and i have some question about this: by using ipfilter for example 1- i want specific MAC address able to access hotmail only 2- also i want to make 10MB for this MAC address is a max download per day 3- i am asking about using MAC... (0 Replies)
Discussion started by: coxmanchester
0 Replies

5. Solaris

NAT IPFilter

Hi everybody, I'm running on Solaris 10 X86 (update 1009). I would like to make NAT's rule. I explain you. On Solaris, I configure the principal interface e1000g0 with IP : 192.168.0.33 I created the first logical interface like that : ifconfig e1000g0 addif 192.168.0.40 netmask... (0 Replies)
Discussion started by: aureliensm
0 Replies

6. Solaris

Ipfilter question

Howdy My goal is to block locally the applications on a Solaris 10 server to access specific port on a remote machine. All attempts to access the <remote ip>:<remote port> should be rejected with ICMP port unreachable or with TCP RST. I tried with the following: block... (2 Replies)
Discussion started by: ralome
2 Replies

7. Shell Programming and Scripting

Extract fragments from file

I have a .xml file that looks something like this : <measInfo> ......... string1 ......... </measInfo> <measInfo> ...... string2 ........ </measInfo> I want to extract only the 'chunk of file' from '<measInfo>' to '</measInfo>' containing string1 (or a certain string that I... (13 Replies)
Discussion started by: black_fender
13 Replies

8. Programming

Which are blocking and non-blocking api's in sockets in C ?

among the below socket programming api's, please let me know which are blocking and non-blocking. socket accept bind listen write read close (2 Replies)
Discussion started by: VSSajjan
2 Replies

9. Solaris

A little help with ipfilter on Omnios

I'm on OmniOS. I have set a linux zone(lx zone) wich use 10.2.0.0/24 network. The other network,connected to internet is 192.168.0.0/24 The network interface of 10.2.0.0/24 is bge1 The network interface of 192.168.0.0/24 is bge0 I know is more easy to use the same network but i prefer to... (1 Reply)
Discussion started by: Linusolaradm1
1 Replies

10. Shell Programming and Scripting

Why the results of these two code fragments are not the same?

Code 1: #!/bin/sh for arg1 in "$@" do counter=0 for arg2 in "$@" do if && then counter=$((counter+1)) continue fi (8 Replies)
Discussion started by: johnprogrammer
8 Replies

LEARN ABOUT DEBIAN

filter_backends

FILTER 
BACKENDS(7)					 Miscellaneous Information Manual					FILTER BACKENDS(7)

NAME

       filter_backends - output drivers for the filtergen packet filter compiler

INTRODUCTION

       This document describes the status and feature-set of the currently available filtergen backends.

IPTABLES

       Most  development  is  done first against the iptables driver.  It supports reject, masquerading, transparent proxying, logging (with text)
       and sub-groups, all of which should work fine (though the latter has only recently been fixed).

IPCHAINS

       The ipchains driver supports all of the above features, too.  Its state model is much weaker though, of	course.   The  forwarding  support
       should work OK, though it is not possible to support "local"-only packets.

IPFILTER

       The  ipfilter  backend  is incomplete.  It supports accept, drop, reject and logging, but not masq, transproxy or sub-groups.  It should be
       easy for someone with knowledge of ipfilter to add support for the other features.  Options for OpenBSD "pf" features and syntax  would	be
       nice, too.  It has received no testing; I don't even know if the generated filters are syntactically correct.

CISCO

       The  cisco  driver is in roughly the same sort of state as the ipfilter one.  Additionally, because of the limitations of IOS ACLs, it sup-
       ports only a limited set of features.  It cannot support reject or transparent proxying, and  may  not  be  able  to  support  masquerading
       either.	An option for reflexive (stateful) ACLs would be very useful.

       I understand that Cisco PIX firewalls use a variant of this syntax -- it would be very nice to support them too.

SEE ALSO

       filtergen(8), filter_syntax(5)

								  January 7, 2004						FILTER BACKENDS(7)
All times are GMT -4. The time now is 10:26 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy