I do for a client firewall (FreeBSD (p23) + ipfilter 3.4.33pre2) die every day several times, and every time without any response and in the case of output dead, made me a good no face. I have not found the problem lie.
This is the website a few days in Ipfilter mailing list to see a man run into the same situation with me, reads as follows:
Using FreeBSD 4.9-STABLE + ipfilter 3.4.33pre2
If I have ipf rules like:
block return-icmp (port-unr) in log quick on xl0 proto udp from any to any port = 111
attempts to connect to that port cause the sytem to freeze instantly, no crash dumps, no errors etc.
The same happens using
block return-icmp-as-dest ........
I haven''t seen anything like this in recent archives.
What can I do to further debug this?
We can make a simple test:
Suppose the firewall for the A, workstation B.
Rules file in your ipf.conf the top of the inclusion of such a rule:
block return-icmp-as-dest in quick on fxp0 proto udp from any to any port = 53
Where fxp0 is the interface you want to test, modify according to your own situation.
Then in another computer B on the DNS set to test this station's IP address of the firewall A, B, run nslookup, random check of several domain names, search a few times more, and you will see a firewall A in the absence of any Information output at once to freeze, crash. Terrible, Pepsi Braun. Even if your ipf.conf not the rule in exceptional circumstances will this phenomenon, I tried 3.4.33pre1-pre3 have this wrong, is said to 3.4.32, 3.4.31 as if no such problems. It was released a patch, I tried and effective. I attach this patch has been ipfilter on recognition, you can rest assured that use.
Index: ip_fil.c
================================================== =================
RCS file / home/cvs/firewall/firewall/usrlocal/ipfilter34/ipfilter3433/ip_fil.c, v
retrIEving revision 1.3
diff-u-r1.3 ip_fil.c
--- Ip_fil.c 17 Dec 2003 12:33:56 -0000 1.3
+ + + Ip_fil.c 22 Dec 2003 11:23:28 -0000
@ @ -1285,7 +1285,7 @ @
frn.fin_ifp = fin-> fin_ifp;
frn.fin_v = fin-> fin_v;
frn.fin_out = fin-> fin_out;
- Frn.fin_mp = fin-> fin_mp;
+ Frn.fin_mp = mp;
ip = mtod (m, ip_t *);
hlen = sizeof (* ip);
@ @ -1465,7 +1465,13 @ @
# Endif
if (avail) (
+ Slen = oip-> ip_len;
+ Oip-> ip_len = htons (oip-> ip_len);
+ Soff = oip-> ip_off;
+ Oip-> ip_off = htons (oip-> ip_off);
bcopy ((char *) oip, (char *) & icmp-> icmp_ip, MIN (ohlen, avail));
+ Oip-> ip_len = slen;
+ Oip-> ip_off = soff;
avail -= MIN (ohlen, avail);
)
@ @ -1486,10 +1492,6 @ @
) Else
# Endif
(
- Slen = oip-> ip_len;
- Oip-> ip_len = htons (oip-> ip_len);
- Soff = oip-> ip_off;
- Oip-> ip_off = htons (ip-> ip_off);
ip-> ip_src.s_addr = dst4.s_addr;
ip-> ip_dst.s_addr = oip-> ip_src.s_addr;
@ @ -1509,13 +1511,7 @ @
fin-> fin_hlen = hlen;
err = send_ip (oip, fin, & m);
fin-> fin_hlen = shlen;
- # Ifdef USE_INET6
- If (fin-> fin_v == 4)
- # Endif
- (
- Oip-> ip_len = slen;
- Oip-> ip_off = soff;
-)
+
return err;
)
M4A to MP3 Converter
DVD to MPG
Wizard Personal Interest
My favorite Games Kids
Failure From Shutdown Trouble
MOD Converter
VBScript ReDim statement
Recommend Office Suites And Tools
Prerelease download ATi Catalyst 5.5
First job out OF the ivory tower beginning how the election
bridge router FUNCTIONS of the vlan classification
No comments:
Post a Comment