For some reason ipfilter is blocking inbound fragmented ip packets (the packets are larger than the interface's MTU) that are encapsulating UDP segments. The connection works, so I know ipfilter is letting some traffic through, it is just a lot slower than it should be.
Rules that allow the traffic:
Code:
pass in quick proto udp from pool/12 to any keep state
pass in quick proto tcp from pool/12 to any keep state
Rule ipmon reports as blocking the traffic (bottom line in ipf.conf):
Code:
block in log all
Sample log entries (hostname and IPs substituted for security reasons):
Code:
Dec 9 12:31:54 hostname ipmon[14093]: [ID 123456 site.warning] 12:31:54.543987 skge0 @0:39 b 127.0.0.1 -> 127.0.0.2 PR udp len 20 (1500) (frag 12001:1480@1480+-) IN
Dec 9 12:31:54 hostname ipmon[14093]: [ID 123456 site.warning] 12:31:54.544011 skge0 @0:39 b 127.0.0.1 -> 127.0.0.2 PR udp len 20 (1500) (frag 12001:1480@2960+-) IN
I should also add that when I turn ipfilter off, the connections performance improves drastically. In the listening services log, I see a lot of NACKs sent back to the sender with the firewall on, but hardly any with it off.
Any ideas?
Last edited by ilikecows; 12-12-2010 at 11:46 PM..
Reason: Added info
Well, as I recall, IP fragments have no tcp or udp header, just the 20 byte ip header that says it is a UDP or TCP fragment, so no port number to filter on. Maybe you uncovered a bug. Your packet sizes bear this out.
IP Fragmentation is not a very robust way to deal with big data, and many apps manage the packet size within the MTU to avoid it. This may be why such a defect was not previously found. Either that, or some timer on how long to wait for reassembly in the filtering process is set too low. Unlike tcp segmentation, a lost packet cost you 100% of the application block, not on average 50% max., and you still have the 65K limit waiting for you if you do not have an app level fragmenter that integrates with smart retransmission.
I was able to solve the problem but I don't understand why or how the fix works. Removing the keep state keyword seems to allow the IP fragments through.
Last edited by ilikecows; 12-16-2010 at 04:36 AM..
Reason: spelling/grammar
Well, you cannot filter fragments unless you keep state, assuming the header fragment survives and arrives first. I guess if you wanted to be nice, you would store fragments for a while or until they are validated by a header fragment, and hold header fragments for a while, but state and storage makes the firewall vulnerable.
Can you make the UDP apps use smaller packets?
I always thought they messed up in http, making it tcp based, at least until http1.1 persistent connections with compression. I thought it might be nice to add a UDP flavored brother. A small graphic file GET would be one packet out, one back, no extra for SYN or FIN or ACK. DNS makes great use of UDP, one socket for an app that, for every packet in, sends one packet out, no fork, threads, poll, select, listen, accept or such.
I'm on OmniOS.
I have set a linux zone(lx zone) wich use 10.2.0.0/24 network.
The other network,connected to internet is 192.168.0.0/24
The network interface of 10.2.0.0/24 is bge1
The network interface of 192.168.0.0/24 is bge0
I know is more easy to use the same network but i prefer to... (1 Reply)
among the below socket programming api's, please let me know which are blocking and non-blocking.
socket
accept
bind
listen
write
read
close (2 Replies)
I have a .xml file that looks something like this :
<measInfo>
.........
string1
.........
</measInfo>
<measInfo>
......
string2
........
</measInfo>
I want to extract only the 'chunk of file' from '<measInfo>' to '</measInfo>' containing string1 (or a certain string that I... (13 Replies)
Howdy
My goal is to block locally the applications on a Solaris 10 server to access specific port on a remote machine. All attempts to access the <remote ip>:<remote port> should be rejected with ICMP port unreachable or with TCP RST.
I tried with the following:
block... (2 Replies)
Hi everybody,
I'm running on Solaris 10 X86 (update 1009).
I would like to make NAT's rule. I explain you.
On Solaris, I configure the principal interface e1000g0 with IP : 192.168.0.33
I created the first logical interface like that :
ifconfig e1000g0 addif 192.168.0.40 netmask... (0 Replies)
Dears,
i am a new user for using ipfilter in solaris 10
and i have some question about this:
by using ipfilter
for example
1- i want specific MAC address able to access hotmail only
2- also i want to make 10MB for this MAC address is a max download per day
3- i am asking about using MAC... (0 Replies)
Hello,
| am trying to setup ipfilter on solaris express snv_91 but I don't seem to have the following file available.
/etc/ipf/pfil.ap
Is this an older way of configuring the interface?, I have all the packages installed.
Thanks, (1 Reply)
how can I create a rule that will allow my machine to FTP to itself, but not allow other machines to FTP to it.. I know this sounds weird but this how they want it so they can test some application functionality that uses ftp. (2 Replies)
When discussing inodes and data blocks, I know Solaris creates these data blocks with a total size of 8192b, divided into eight 1024b "fragments." It stores data in "contiguous" fragments and solaris doesn't allow a file to use portions of two different fragments. If the file size permits, then the... (4 Replies)
12-13-2010
