ipfilterd udp

IRIX and IRIX software discussion including open source and commerical offerings.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
foetz
Moderator
Moderator
Posts: 6704
Joined: Mon Apr 14, 2003 4:34 am
Contact:

ipfilterd udp

Unread postby foetz » Sat Jan 13, 2018 9:56 pm

for many years i've been running ipfilterd on my server-octane to give it a little extra protection and never had any issues. recently i changed my internet plan which included a new router. not a big change tho since it's almost the same. just a later model which runs the same software and is 95% identical. it's one of these dummy routers you're forced to use with certain providers. hardly any "real" network settings so not much to mess up :P
anyway everything is fine except for one thing: udp. ntp, dns ... no joy and nfs is like limited to 100mbit despite using my gbit card. but only if ipfilterd is running. if i turn it off everything works fine. i didn't change my rules in years and it worked fine with the old router and any other router i had before.
i had to change my lan ips tho but don't see how that could cause the trouble since everything else except for udp is fine and without ipfilterd that's fine as well.

now the big question is: did anyone encounter something similar? or has any idea why ipfilterd suddenly causes udp problems?


EDIT: this just got weirder. i tried with ipfilter (the 3rd party one) and guess what, same issue :P
ipfilter on = udp dead. just like with ipfilterd. and the same happened with another machine where i tried both, too.
and yet weirder, even with the firewalls off the nfs speed still sucks. i'm starting to think this is because of the ip change after all. any known issues with irix and 172.16.x.x ?

User avatar
dexter1
Moderator
Moderator
Posts: 2781
Joined: Thu Feb 20, 2003 6:57 am
Location: Zoetermeer, The Netherlands

Re: ipfilterd udp

Unread postby dexter1 » Sun Jan 14, 2018 5:41 am

Suppose you want to run nfs services from within your home network to the octane, did you perform an attempt of directly connecting the octane to the nfs server omitting the router?
This way you can check three possible causes:
- if Gigabit speeds are attainable
- if ipfilter(d) causes havoc just because a new router was added
- if the subnet causes problems

I have never used 172.16.x.x so can't comment on that.

By any chance, what is the brand and model your internet router? Since you live in Germany, i suppose FritzBox is used very often as router hardware.
I use a 7360v1 myself.
I might start ipfilterd on my challengeS and with maybe your (edited) config i can check if i experience the same behavior.
:Crimson: :PI: :Indigo: :O2: :Indy: :Indigo2: :Indigo2IMP:

User avatar
vishnu
Donor
Donor
Posts: 3361
Joined: Sun Mar 18, 2007 3:25 pm
Location: Minneapolis, Minnesota USA

Re: ipfilterd udp

Unread postby vishnu » Sun Jan 14, 2018 9:50 am

Just guessing but it could be that one of your network related /etc/config/*.options files is messed up...
Project:
Temporarily lost at sea...
Plan:
World domination! Or something...

:Tezro: :Octane2:

User avatar
foetz
Moderator
Moderator
Posts: 6704
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: ipfilterd udp

Unread postby foetz » Sun Jan 14, 2018 2:18 pm

dexter1 wrote:Suppose you want to run nfs services from within your home network to the octane

the other way around, the octane is the server.

did you perform an attempt of directly connecting the octane to the nfs server omitting the router?

ah, i should have been a bit more detailed there.
nothing is connected to the router (indeed a fritzbox) directly. the router hooks up to my switch and that's where all machines are plugged in as well. just as i did with the previous router. i even use the same cable so hardware wise no change except for the router.

in fact after the same happened to the other sgi i tried i'm starting to think that the router might not be the problem after all but rather the new ip range. although i have no idea why :P
before i had 192.168.0.0/255.255.0.0 which i had to change to 172.16.0.0/255.255.0.0. shouldn't make a difference but, well, maybe it did.
to set the new ip i changed static-route.options, hosts, exports and the ips in my ipfilterd.conf. netif.options only works with hostnames and i kept the subnet mask so nothing else required. just to be on the safe side i tried to make the ip changes via sysmgr later but that made no difference.

I might start ipfilterd on my challengeS and with maybe your (edited) config i can check if i experience the same behavior.

would be great if you wouldn't mind. just put your router and one of your sgis into the 172.16.0.0 net and fire up either ipfilterd or ipfilter. then run ntpdate or a bind9 or whatever else you have that's using udp.

vishnu wrote:Just guessing but it could be that one of your network related /etc/config/*.options files is messed up...

sure that was the first thing i checked but i didn't change anything in there except for the ips. same goes for the hosts file and exports. i don't use nis or similar stuff.

User avatar
vishnu
Donor
Donor
Posts: 3361
Joined: Sun Mar 18, 2007 3:25 pm
Location: Minneapolis, Minnesota USA

Re: ipfilterd udp

Unread postby vishnu » Sun Jan 14, 2018 3:46 pm

foetz wrote:
vishnu wrote:Just guessing but it could be that one of your network related /etc/config/*.options files is messed up...

sure that was the first thing i checked but i didn't change anything in there except for the ips. same goes for the hosts file and exports. i don't use nis or similar stuff.


You probably already did this but try grepping for 192 in the options files, see if one of them thinks you're still on the old network...?
Project:
Temporarily lost at sea...
Plan:
World domination! Or something...

:Tezro: :Octane2:

User avatar
foetz
Moderator
Moderator
Posts: 6704
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: ipfilterd udp

Unread postby foetz » Sun Jan 14, 2018 4:03 pm

that's how i did it in the first place :-)

rooprob
Posts: 85
Joined: Wed Sep 01, 2010 7:20 am

Re: ipfilterd udp

Unread postby rooprob » Sun Jan 14, 2018 5:47 pm

have you run tcpdump to confirm whether UDP traffic is passing the Gbit or built in 100Mbit interface on the Octane?

I realise that doesn’t explain the difference of running ipfilterd or not but it might track whether you have some comms passing either interface.

Are you running routing software? Routed for example?
You have discounted running in half duplex?
:O2: r12 400 mapleleaf :Indigo2IMP: r10 195 IRIS :Cube: NeXT
New Zealand

User avatar
foetz
Moderator
Moderator
Posts: 6704
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: ipfilterd udp

Unread postby foetz » Sun Jan 14, 2018 6:40 pm

rooprob wrote:have you run tcpdump to confirm whether UDP traffic is passing the Gbit or built in 100Mbit interface on the Octane?

not yet, i'm not so much concerned about the speed but udp working at all

I realise that doesn’t explain the difference of running ipfilterd or not but it might track whether you have some comms passing either interface.

yeah good point. time for some tcpdumping

Are you running routing software? Routed for example?

none

You have discounted running in half duplex?

ifconfig attests both nics full duplex


EDIT: actually irix doesn't have tcpdump but i'll try something else

mgtremaine
Posts: 326
Joined: Wed Feb 22, 2006 1:58 pm
Location: San Diego, Ca
Contact:

Re: ipfilterd udp

Unread postby mgtremaine » Tue Jan 16, 2018 6:33 am

Isn't it snoop or sniff? Something like that it's been awhile. But yes packet tracing is the tool to reach for to see if the packets going somewhere they should not be.

-Mike
:Indy::O2:

User avatar
foetz
Moderator
Moderator
Posts: 6704
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: ipfilterd udp

Unread postby foetz » Tue Jan 16, 2018 3:35 pm

okay so i took netsnoop for a ride and the results were, well, not too helpful :P
unless i did it wrong. i ran:

Code: Select all

netsnoop -e any udp

then i fired up ntpdate which is one of the troublesomes. netsnoop showed the traffic that the dns query caused because i used pool.ntp.org. what it didn't show however was anything related to ntp itself but since it worked there must be some ntp traffic. odd.
next i activated ipfilter, started netsnoop again and ran ntpdate again. this time i got the same dns traffic and nothing else. but this time, as expected, ntpdate didn't work.

so i'm not sure what to make of that. it made the whole case even weirder :D

markh
Posts: 27
Joined: Sat Dec 04, 2004 5:48 am
Location: The Netherlands

Re: ipfilterd udp

Unread postby markh » Wed Jan 17, 2018 11:31 am

You can change the ip address of the fritzbox to one in your original range. You may have to enable the advanced mode in the gui, though. That should let you use the original range of ip addresses you had.

I have a fritzbox as well and my network is in the 192.168.0.x range.

User avatar
foetz
Moderator
Moderator
Posts: 6704
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: ipfilterd udp

Unread postby foetz » Wed Jan 17, 2018 12:01 pm

markh wrote:You can change the ip address of the fritzbox to one in your original range

no i can't. exactly that's the problem. it doesn't let me if the mask is 255.255.0.0. this worked with the older model but not the one i have now.
meanwhile i reported that to avm, they confirmed the issue and are looking into it.

User avatar
foetz
Moderator
Moderator
Posts: 6704
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: ipfilterd udp

Unread postby foetz » Thu Jan 18, 2018 5:05 am

i exchanged a couple of mails with avm and the result was a bit curious. according to them the issue can have 2 reasons:
1. a specific ds-lite configuration of the isp.
2. the docsis standard would require 192.168.100 to be available for the isp's support personnel.

the first point wasn't the case because i don't have ds-lite. the second point made no sense either because the older model i had used that standard as well but there using the full 192.168.0.0 range was no problem and i didn't change the isp either.
so i asked them how that's possible. the poor reply: they had no info in that regard and it wouldn't matter anyway because my support query was about the current model. lol.

bottom line is if you wanna use more than just the last block of the 192.168. net don't get an avm. i could of course not help myself and had to tell them that restricting the most popular private ip range like that is not a good idea at all.


in the meantime i wrote a ruleset for ipfilter that does work with dns and ntp. but i still have no idea why my good 'ol ipfilterd rules suddenly stopped working after the ip change.

mgtremaine
Posts: 326
Joined: Wed Feb 22, 2006 1:58 pm
Location: San Diego, Ca
Contact:

Re: ipfilterd udp

Unread postby mgtremaine » Thu Jan 18, 2018 4:06 pm

Sounds like you got figured out but I just wanted to point out that "Snoop" the original should be on your workstation in IRIX... Here is the man page you get each every packet...

http://nixdoc.net/man-pages/irix/man1/snoop.1.html

-Mike
:Indy::O2:

User avatar
foetz
Moderator
Moderator
Posts: 6704
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: ipfilterd udp

Unread postby foetz » Thu Jan 18, 2018 5:48 pm

mgtremaine wrote:Sounds like you got figured out

no. as i said, i still have no idea why the ipfilterd rules suddenly stopped working.

I just wanted to point out that "Snoop" the original should be on your workstation in IRIX

yeah i have snoop, too. netsnoop was okay tho but it's always good to have options :-)


Return to “IRIX and Software”

Who is online

Users browsing this forum: No registered users and 3 guests