[CentOS] CentOs 4.X and APF firewall issues

Mon Sep 25 10:08:04 UTC 2006
Steph <stephanie.royle at lunarpages.com>

Hi Kennedy,

I'm glad you included the info on the high syn packets as I noticed this
coincided with the lockups.
I have replaced the apf with an earlier version and it's running perfectly
now, so all I can think is that perhaps there was something in this last
release that wasn't quite 100%.

The forum at RFX is not online anymore and I guess maybe an email would
result in no reply.
I really like the APF and I'm pleased we can continue to use it, if I have a
little more time I'll maybe look a little more deeply into the newer version
but for now I'm happy to have a working version.

Thanks for your reply.

Stephanie. 
 
-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf
Of hkclark at gmail.com
Sent: 25 September 2006 00:44
To: CentOS mailing list
Subject: Re: [CentOS] CentOs 4.X and APF firewall issues

On 9/21/06, Steph <stephanie.royle at lunarpages.com> wrote:
> Hi,
>
> We have 7 Dell 2850 servers with dual xeon 3 gig processors running the
APF
> firewall version 0.9.6  http://rfxnetworks.com/apf.php
>
> They run fine for a day or two, then suddenly lock out all incoming
> connections, other than the backend IP, sometimes restarting the firewall
> resolves this, but occasionally we may have to leave it 10 mins or so
before
> restarting where it will actually allow connections again.
>

Hi Stephanie,

I have had problems with apf, as noted in this thread about 5 months ago:
http://lists.centos.org/pipermail/centos/2006-May/064517.html

However, it would just lock out seemingly random connections for a
fairly short period, vs. the 10 min you are seeing.  I emailed
rfxnetworks, but never heard back. :-(  So, although I have
recommended APF numerous times on this list, I would now recommend
people probably consider another alternative.  I am currently "rolling
my own" iptables config... if people have a frontend package similar
to apf (but without these various "lock out" concerns), I would love
to hear any recommendations.

One thing I did to find useful in troubleshooting the apf issues I had
was to use tcpdump.  I used a command such as:

nohup tcpdump -p -i any -s 0 -w out_file.enc 'tcp[tcpflags] & tcp-syn
!= 0 and (port 80 or port 443)' &

I was seeing multiple TCP SYN packets come in from the same client
(with the same src/dest port numbers) and no response from my CentOS
box.  You can view the out_file.enc in something like Ethereal (now
Wireshark).  Because it only captures the SYN packets, you can leave
this running without worrying about filling up your hard drive.

Also, I should probably mentioned that I was working with a CentOS 3 box.

Let me know if you learn anything else.

Regards,
Kennedy
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos