From owner-freebsd-questions Sat Feb 20 6:57: 7 1999 Delivered-To: freebsd-questions@freebsd.org Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.128.94.182]) by hub.freebsd.org (Postfix) with ESMTP id E8F9910E6B for ; Sat, 20 Feb 1999 06:57:03 -0800 (PST) (envelope-from software@kew.com) Received: from sonata.hh.kew.com (root@sonata-dmz.hh.kew.com [192.168.205.1]) by kendra.ne.mediaone.net (8.9.1/8.9.1) with ESMTP id JAA22526; Sat, 20 Feb 1999 09:57:02 -0500 (EST) Received: from kew.com (minerva.hh.kew.com [192.168.203.144]) by sonata.hh.kew.com (8.9.1/8.9.1) with ESMTP id JAA08055; Sat, 20 Feb 1999 09:57:00 -0500 (EST) Message-ID: <36CECD3B.A6AB4A6A@kew.com> Date: Sat, 20 Feb 1999 09:56:59 -0500 From: Drew Derbyshire Organization: Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com) X-Mailer: Mozilla 4.5 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: questions@freebsd.org Cc: edk@kew.com Subject: natd on 2.2.8 kills network performance Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've got to be missing something here ... I've been running natd and firewall rules on my primary firewall (pandora) since ~ 2.2.2; Trying to repeat the success on two other systems (mash and sonata), both at 2.2.8, just doesn't work cleanly, and I can't tell why. The sessions through the natd interface seem to hang for tens of seconds, during which time netstat shows a few characters queued for sending. Sessions through other interfaces are not affected, and the CPU is idle. Various small configuration items: * Both pandora and mash have the wide-dhcp client on the natd interface. sonata doesn't. * pandora uses a EtherLink III * sonata uses a SMC EtherEZ * mash uses a Etherlink Fast XL * pandora was an upgrade install from the 2.2.7 CD-ROM's * sonata was upgraded from 2.2.7 to 2.2.8 via a makeworld in December * mash was a clean install from the 2.2.8 CD-ROM's. pandora shows the divert socket active in netstat: diver 0 0 *.natd *.* sonata and mash do not.. The sonata 2.2.8 system has these kernel options: options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity options IPDIVERT #divert sockets And it has these rules (ed0 is the natd interface): 01000 allow ip from any to any via lo0 02000 deny ip from any to 127.0.0.0/8 02100 divert 8668 ip from any to any via ed0 02200 allow tcp from any to any in recv ed0 02300 allow udp from any to any in recv ed0 02400 allow ip from any to any in recv ed0 02500 allow tcp from any to any out xmit ed0 02600 allow udp from any to any out xmit ed0 02700 allow ip from any to any out xmit ed0 65000 allow ip from any to any 65535 deny ip from any to any natd is involved thusly: natd -n ed0 The pandora, the working 2.2.7 system, with standard kernel options: options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about options "IPFIREWALL_VERBOSE_LIMIT=200" #limit verbosity options IPDIVERT #divert sockets and some reasonably tight rules: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 divert 8668 tcp from any to 24.128.94.182 1024-65535 recv ep0 00400 divert 8668 tcp from not 24.128.94.182 1024-65535 to not 24.128.94.182 via ep0 00500 divert 8668 tcp from any to 24.128.94.182 540 recv ep0 00600 divert 8668 tcp from 192.168.205.1 540 to any via ep0 00700 deny ip from 192.168.205.0/24 to any in recv ep0 00800 deny ip from 192.168.0.0/16 to any in recv ep0 00900 deny ip from 172.16.0.0/12 to any via ep0 01000 deny ip from any to 172.16.0.0/12 via ep0 01100 deny ip from 10.0.0.0/8 to any via ep0 01200 deny ip from any to 10.0.0.0/8 via ep0 01300 deny ip from any to 224.0.0.0/3 10000 allow tcp from any to any via ed0 10100 allow tcp from any to any established . . . ep0 is the standard "public" interface. natd itself is configured to run thusly: natd -config /usr/local/etc/natd.conf -n ep0 # /usr/local/etc/natd.conf redirect_port tcp 192.168.205.1:540 540 dynamic yes I did try -dynamic (and a configuration file with dynamic yes) on sonata, no joy. Suggestions? -- Drew Derbyshire UUPC/extended e-mail: software@kew.com Telephone: 617-279-9812 Bring back ROSCOE release 4.1! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message