[OpenAFS] Solaris 10 ipfilter vs. AFS
Eric Sturdivant
sturdiva@umd.edu
Thu, 20 Sep 2007 11:12:08 -0400 (EDT)
Is anyone using AFS (either client or server) on a solaris 10 system with
ipfilter running that can share their rule sets?
I am seeing large numbers of blocked fragmented packets, which is killing
the performance.
My ruleset looks something like this:
pass out all keep state keep frags
block in log all
pass in log quick proto udp from any port 6999 >< 7010 to any port =
afs3-callback keep state keep frags
pass in log quick proto udp from any to any port = afs3-fileserver keep
state keep frags
pass in log quick proto udp from any to any port = afs3-volser keep state
keep frags
pass in log quick proto udp from any to any port = afs3-errors keep state
keep frags
pass in log quick proto udp from any to any port = afs3-bos keep state
keep frags
pass in log quick proto udp from any to any port = afs3-update keep state
keep frags
pass in log quick proto udp from any to any port = afs3-rmtsys keep state
keep frags
And ipmon is showing blocked packets like this:
20/09/2007 10:41:00.390703 2x bge0 @0:14 b hecate.umd.edu[128.8.10.23] ->
wrath.umd.edu[128.8.70.25] PR udp len 20 (1500) frag +-1480@1480 IN
--
Eric Sturdivant
University of Maryland
Office of Information Technology
Distributed Computing Services