dhcpagent + ipfilter := delayed loss of IP functionality?
in [Solaris]
|
From: Jeroen Scheerder on 17 Jan 2010 07:48 Jeroen Scheerder <js(a)xs4all.nl> wrote: > It seems to be happen in lockstep with DHCP renewal (but not DHCP > extensions). > > I've added a few 'log' statements, added explicit allows for UDP 67 and > 68, added 'flags S' to my incoming TCP rules and enabled ipfilter again. > > The result of this experiment is: loss of functionality after a while. > Post-mortem will no doubt show nothing in /var/adm/messages nor > /var/log/*, except that the system kept on running until powercycled. I'm even more stunned. As expected, things broke down. Then, after a powercycle I see traffic getting dropped: Jan 17 11:09:13 [..] hme0 @0:7 b A.B.C.D,54353 -> P.Q.R.S,22 PR tcp len 20 48 -S IN Yet the matching rule is: 0 @7 pass in quick on hme0 proto tcp from any to any port = ssh flags S/FSRPAU keep state This is not right. I'm keeping ipfilter off for now.
From: Richard B. Gilbert on 17 Jan 2010 08:42 HankVC wrote: > In article <z6ednQhHgJC3QczWnZ2dnUVZ_gidnZ2d(a)giganews.com>, > Richard B. Gilbert <rgilbert88(a)comcast.net> wrote: >> Do you really NEED ipfilter? My router, by default, will not allow any >> incoming packet to pass unless it is a response to outgoing traffic. >> It's simple, relatively cheap, and it works! (LinkSys BEFR81) >> > And tell me how I am going to run a mail server and an apache server > that expect unsolicited incoming traffic. And a consumer-grade > Linksys router to boot. > > You're not talking about enterprise systems with this sort of thing. > We aren't doing "Windows or Mac" here. > "Windows or Mac" have nothing to do with it. And you're right, you can't run a mail server through a simplistic router/firewall that protects a home network. OTOH, if IPFILTER is not letting the good guys through, it's either configured incorrectly or, perhaps, not well suited to the job.
From: Jeroen Scheerder on 17 Jan 2010 08:58 Jeroen Scheerder <js(a)xs4all.nl> wrote: > I'm even more stunned. As expected, things broke down. Then, after a > powercycle I see traffic getting dropped: [...] A more closer look of the logs, while an (allowed) constant ping is going, shows: - a constant flow of (allowed) icmp traffic - then some (allowed) DHCP traffic (a successful DHCP renewal) - a constant flow of the same icmp requests, now blocked I'm getting curious as to what changed surrounding dhcpagent, ipfilter and/or the network stack early Dec '09.
From: Canuck57 on 17 Jan 2010 10:33 On 16/01/2010 11:37 AM, Jeroen Scheerder wrote: > Canuck57<Canuck57(a)nospam.com> wrote: > >> Could be the DHCP network. Did they change the lease times? Add more >> PCs to cause it to recycle IPs? If the DHCP server is chanign the IP, >> some rules will fail. > > Nope, that's not it. And my dhcpagent debug logs show operational DHCP. See if it occurs just about when the lease expires. >> My big question here is why not give it a fixed IP? > > That's a decistion of those running the network, who want to be free to > renumber or subnet differently at any point in time, without notice - at > which point anything on it should retain functionality without > administrative action (which would be quite hard anyway, for after a > network change there will be no access until reconfiguration). Not very smart on their part. DHCP has issues this way. And if you change a NIC the IP will change. Not very bright.
From: Martin Paul on 18 Jan 2010 06:33
Jeroen Scheerder wrote: > Well, since disabling the ipfilter service the system has stayed > functional. For the first 24 hours after booting that means unchanged > functionality; with ipfilter active, everything runs as it should. > Obviously, a few moments later this means a world of change. > > And I'm at a loss as to why this is. I don't know why this started > early december (although Solaris updates were applied not long before), Without reading the rest of the thread, I'm pretty sure that you got bitten by the faulty ipfilter patch 141506-05. I helped a colleague with that issue a few weeks ago and reported the problem to Sun, which caused the patch to be retracted. See: http://sunsolve.sun.com/search/document.do?assetkey=1-66-274710 Solaris 10 IP Filter (ipfilter(5)) Patches (WITHDRAWN) May Cause a Memory Leak for Systems With IPF's Stateful Filtering Configured I you have 141506-05 installed ("showrev -p | grep 141506"), remove it with "patchrm 141506-05", reboot, and you're set. hth, Martin. -- SysAdmin | Institute of Scientific Computing, University of Vienna PCA | Analyze, download and install patches for Solaris | http://www.par.univie.ac.at/solaris/pca/ |