Hi Kennedy,
I'm glad you included the info on the high syn packets as I noticed this coincided with the lockups. I have replaced the apf with an earlier version and it's running perfectly now, so all I can think is that perhaps there was something in this last release that wasn't quite 100%.
The forum at RFX is not online anymore and I guess maybe an email would result in no reply. I really like the APF and I'm pleased we can continue to use it, if I have a little more time I'll maybe look a little more deeply into the newer version but for now I'm happy to have a working version.
Thanks for your reply.
Stephanie.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of hkclark@gmail.com Sent: 25 September 2006 00:44 To: CentOS mailing list Subject: Re: [CentOS] CentOs 4.X and APF firewall issues
On 9/21/06, Steph stephanie.royle@lunarpages.com wrote:
Hi,
We have 7 Dell 2850 servers with dual xeon 3 gig processors running the
APF
firewall version 0.9.6 http://rfxnetworks.com/apf.php
They run fine for a day or two, then suddenly lock out all incoming connections, other than the backend IP, sometimes restarting the firewall resolves this, but occasionally we may have to leave it 10 mins or so
before
restarting where it will actually allow connections again.
Hi Stephanie,
I have had problems with apf, as noted in this thread about 5 months ago: http://lists.centos.org/pipermail/centos/2006-May/064517.html
However, it would just lock out seemingly random connections for a fairly short period, vs. the 10 min you are seeing. I emailed rfxnetworks, but never heard back. :-( So, although I have recommended APF numerous times on this list, I would now recommend people probably consider another alternative. I am currently "rolling my own" iptables config... if people have a frontend package similar to apf (but without these various "lock out" concerns), I would love to hear any recommendations.
One thing I did to find useful in troubleshooting the apf issues I had was to use tcpdump. I used a command such as:
nohup tcpdump -p -i any -s 0 -w out_file.enc 'tcp[tcpflags] & tcp-syn != 0 and (port 80 or port 443)' &
I was seeing multiple TCP SYN packets come in from the same client (with the same src/dest port numbers) and no response from my CentOS box. You can view the out_file.enc in something like Ethereal (now Wireshark). Because it only captures the SYN packets, you can leave this running without worrying about filling up your hard drive.
Also, I should probably mentioned that I was working with a CentOS 3 box.
Let me know if you learn anything else.
Regards, Kennedy _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos