dhcpagent + ipfilter := delayed loss of IP functionality?
in [Solaris]
|
From: Jeroen Scheerder on 14 Jan 2010 14:20 Somewhere early december my trusty Netra X1, running Solaris 10, vanished. Unable to go on location, somebody powercycled it for me and sanity was restored. However, exactly one day later it repeated. Since it's configured by DHCP with a lease time of 1 day, I naturally suspected that. So I ran DHCP in debug mode, with a screen session containing a tcpdump writing all UDP 67, 68 packets to a file. This showed valid DHCP lease extensions and a valid renewal. Yet all communications ceased, without anything showing for it in /var/adm/messages. Then I had some local help, with access to systems allowed to ping it; the system, while offering no service at all still responded to ICMP requests. Some further experiments confirmed that these ICMP replies even transgressing layer 2 boundaries. So apparently there remained a valid IP stack, with working routing, but not much else. This system has been running for years, with ipfilter in place. Every powercycle restored sanity for a day, but after 24hr things were sure to go haywire, with no evidence why whatsoever to be found. I had no reason to suspect it, but without anything close to a clue I just wanted to throw things out of the loop, and see of somehow sanity would be restored. Well, since disabling the ipfilter service the system has stayed functional. For the first 24 hours after booting that means unchanged functionality; with ipfilter active, everything runs as it should. Obviously, a few moments later this means a world of change. And I'm at a loss as to why this is. I don't know why this started early december (although Solaris updates were applied not long before), and I don't have sufficient diagnostics. I think I would know more if I had been able to access the system in its known bad state, but having been able to access it only in the normal state after the ensuing powercycle that has been impossible. So the only thing I think I've seen so far is that * a DHCP lease of 24hs * ipfilter active results in total loss of IP functionality exactly 24hrs after booting. Perhaps anyone has ideas to share?
From: Oscar del Rio on 14 Jan 2010 15:12 Jeroen Scheerder wrote: > So the only thing I think I've seen so far is that > * a DHCP lease of 24hs > * ipfilter active > results in total loss of IP functionality exactly 24hrs after booting. > > Perhaps anyone has ideas to share? check the ipfilter logs for any blocked packets? IIRC, by default ipfilter (ipmon actually) logs to syslog LOCAL0 facility and you have to configure syslog.conf accordingly.
From: Jeroen Scheerder on 14 Jan 2010 15:34 Oscar del Rio <delrio(a)mie.utoronto.ca> wrote: > > So the only thing I think I've seen so far is that > > * a DHCP lease of 24hs > > * ipfilter active > > results in total loss of IP functionality exactly 24hrs after booting. > > > > Perhaps anyone has ideas to share? > > check the ipfilter logs for any blocked packets? IIRC, by default > ipfilter (ipmon actually) logs to syslog LOCAL0 facility and you have to > configure syslog.conf accordingly. I have logging set up, do get ipmon logs in /var/log/local0 for ipf rules with the 'log' attribute set, and no, it doesn't start blocking everything suddenly after 24hrs. There are no other ipmon messages.
From: hume.spamfilter on 14 Jan 2010 18:43 Jeroen Scheerder <js(a)xs4all.nl> wrote: > I have logging set up, do get ipmon logs in /var/log/local0 for ipf > rules with the 'log' attribute set, and no, it doesn't start blocking > everything suddenly after 24hrs. There are no other ipmon messages. What do your rules look like? -- Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/
From: Jeroen Scheerder on 15 Jan 2010 15:42 <hume.spamfilter(a)bofh.ca> wrote: > Jeroen Scheerder <js(a)xs4all.nl> wrote: > > I have logging set up, do get ipmon logs in /var/log/local0 for ipf > > rules with the 'log' attribute set, and no, it doesn't start blocking > > everything suddenly after 24hrs. There are no other ipmon messages. > > What do your rules look like? Well, they've been working just fine for many moons without alteration, and still do the first 24hrs after a reboot. But since you ask (sanitized): $ cat /etc/ipf/ipf.conf block in log quick all with short block in log all with ipopts # pass in quick on lo0 all pass out quick on lo0 all # pass in quick proto icmp from any to any icmp-type 3 code 4 pass out quick proto icmp from any to any icmp-type 3 code 4 # block in on hme0 all # pass out quick on hme0 proto icmp all keep state pass out quick on hme0 proto tcp/udp from any to any keep state # # SSH, SMTP, HTTP, HTTPS, submission, IMAPS pass in quick on hme0 proto tcp from any to any port = 22 keep state pass in quick on hme0 proto tcp from any to any port = 25 keep state pass in quick on hme0 proto tcp from any to any port = 80 keep state pass in quick on hme0 proto tcp from any to any port = 443 keep state pass in quick on hme0 proto tcp from any to any port = 587 keep state pass in quick on hme0 proto tcp from any to any port = 993 keep state # pass in log quick on hme0 proto tcp from A.B.C.D to any port = 1022 keep state # pass in log quick on hme0 proto tcp from any to any port = 5001 keep state # pass in quick on hme0 proto icmp from E.F.G.H to any
|
Next
|
Last
Pages: 1 2 3 4 5 6 7 Prev: motherboard recommendations Next: Veritas 4.1 performance issue in Solaris 10 |