From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 4 23:31:42 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50E4016A419 for ; Sun, 4 Nov 2007 23:31:42 +0000 (UTC) (envelope-from john.w.court@nokia.com) Received: from mgw-ext11.nokia.com (smtp.nokia.com [131.228.20.170]) by mx1.freebsd.org (Postfix) with ESMTP id AD7B813C491 for ; Sun, 4 Nov 2007 23:31:41 +0000 (UTC) (envelope-from john.w.court@nokia.com) Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-ext11.nokia.com (Switch-3.2.5/Switch-3.2.5) with ESMTP id lA4NEx4p015308; Mon, 5 Nov 2007 01:15:00 +0200 Received: from esebh103.NOE.Nokia.com ([172.21.143.33]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Nov 2007 01:14:59 +0200 Received: from siebe101.NOE.Nokia.com ([172.30.195.47]) by esebh103.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Nov 2007 01:14:58 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 5 Nov 2007 07:14:54 +0800 Message-ID: In-Reply-To: <932971.53959.qm@web88014.mail.re2.yahoo.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPFW Problem Thread-Index: AcgecIJ0UxBnczz5Tg2VwZgapmywmwAx4lnA References: <932971.53959.qm@web88014.mail.re2.yahoo.com> From: To: , X-OriginalArrivalTime: 04 Nov 2007 23:14:58.0674 (UTC) FILETIME=[84CD5D20:01C81F38] X-Nokia-AV: Clean Cc: Subject: RE: IPFW Problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Nov 2007 23:31:42 -0000 Hmm, I may well be missing something very obvious but rule 01000 seems to be doing exactly what it says it will. Are you sure you meant "deny" rather than "allow" on rule 01000 ? It seems very unfreindly to allow outgoing TCP connections and then the minute they are established deny any return traffic !! Usually the "established" test is there to detect valid incoming traffic associated with your own outgoing "safe" connections. Cheers John=20 -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of ext Gardner Bell Sent: Sunday, November 04, 2007 8:51 AM To: freebsd-ipfw@freebsd.org Subject: IPFW Problem I'm hoping some of you can help me out with the problem that I'm having as I'm not very good when it comes to networking.. I've recently configured 6.3-PRERELEASE with IPFW/NATD to act as my LAN's firewall/router. After I initially access certain http sites, particularly google groups and yahoo web mail I'm noticing subsequent attempts take > 2mins to resolve the next link that I am interested in reading. =20 This appears to be caused by rule 01000 as the counter increases each time I access one of the above mentioned sites. Short of removing this rule, is there any other way that I can fix this issue? Below is a listing of my present ruleset and a tcpdump of a Windows XP machine trying to access a link on google groups. regards, Gardner mx1# ipfw show 00100 76 11134 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 0 0 deny log logamount 10 ip from 127.0.0.1 to any 00300 0 0 deny log logamount 10 ip from any to 127.0.0.1 00400 0 0 deny log logamount 10 ip from any to any not verrevpath in 00500 0 0 deny log logamount 10 ip from any to any ipoptions ssrr,lsrr,rr,ts in 00600 0 0 deny ip from any to any frag 00700 0 0 allow icmp from any to any icmptypes 0,3,11,12 00800 1081 452405 divert 8668 ip from any to any via bge0 00900 0 0 check-state 01000 36 17682 deny tcp from any to any established 01100 2704 853904 allow ip from any to any via bge1 keep-state 01200 262 57586 allow tcp from any to any dst-port 80 keep-state 01300 0 0 allow tcp from any to any dst-port 443 keep-state 01400 102 7752 allow udp from me to any dst-port 123 keep-state 01500 0 0 allow tcp from me to any dst-port 53 setup keep-state 01600 169 30563 allow udp from me to any dst-port 53 keep-state 01700 0 0 allow tcp from any to any dst-port 1863 setup keep-state 01800 0 0 allow log logamount 10 udp from any to 255.255.255.255 dst-port 68 in via bge0 01900 0 0 allow tcp from x.x.x.x to x.x.x.x dst-port 22 keep-state 02000 0 0 deny log logamount 10 ip from any to any 65535 1 396 deny ip from any to any 131219 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55490, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d44)!) x.x.x.x.2471 > 64.233.179.99.80: ., cksum 0x2bf0 (correct), a ck 26946 win 64330 046227 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 63, id 55493, offset 0, flags [DF], proto: TCP (6), length: 48, bad cksum 0 (->2a14)!) x.x.x.x.2474 > 72.14.207.99.80: S, cksum 0xf365 (correct), 22 96693740:2296693740(0) win 65535 007127 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 56, id 48846, offset 0, flags [none], proto: TCP (6), length: 48) 72.14.207.99.80 > x.x.x.x.2474: S, cksum 0x8043 (correct), 2154814567:2154814567(0 ) ack 2296693741 win 5720 000323 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55494, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->2a1b)!) x.x.x.x.2474 > 72.14.207.99.80: ., cksum 0xc341 (correct), ac k 1 win 65535 000293 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 1155: (tos 0x0, ttl 63, id 55495, offset 0, fla gs [DF], proto: TCP (6), length: 1141, bad cksum 0 (->25cd)!) x.x.x.x.2474 > 72.14.207.99.80: P 1:1102(1101) ack 1 win 65535 015474 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 56, id 48847, offset 0, flags [none], proto: TCP (6), length: 40) 72.14.207.99.80 > x.x.x.x.2474: ., cksum 0xa0d9 (correct), ack 1102 win 7707 000879 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 383: (tos 0x0, ttl 56, id 48848, offset 0, flag s [none], proto: TCP (6), length: 369) 72.14.207.99.80 > x.x.x.x.2474: P 1:330(329) ack 1102 win 7707 003365 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 54, id 5049, offset 0, flag s [none], proto: TCP (6), length: 1470) 64.233.179.99.80 > x.x.x.x.2472: . 1:1431(1430) ack 944 win 6797 001463 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 54, id 5050, offset 0, flag s [none], proto: TCP (6), length: 1470) 64.233.179.99.80 > x.x.x.x.2472: . 1431:2861(1430) ack 944 win 6797 000478 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55498, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d3c)!) x.x.x.x.2472 > 64.233.179.99.80: ., cksum 0xa354 (correct), a ck 2861 win 65535 000694 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 348: (tos 0x0, ttl 54, id 5051, offset 0, flags [none], proto: TCP (6), length: 334) 64.233.179.99.80 > x.x.x.x.2472: P 2861:3155(294) ack 944 win 6797 002086 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 841: (tos 0x0, ttl 63, id 55503, offset 0, flag s [DF], proto: TCP (6), length: 827, bad cksum 0 (->4a24)!) x.x.x.x.2471 > 64.233.179.99.80: P 900:1687(787) ack 26946 win 64330 039910 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 54, id 65197, offset 0, flags [none], proto: TCP (6), length: 40) 64.233.179.99.80 > x.x.x.x.2471: ., cksum 0xfff1 (correct), ack 1687 win 9270 081626 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55504, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->2a11)!) x.x.x.x.2474 > 72.14.207.99.80: ., cksum 0xbef4 (correct), ac k 330 win 65206 006714 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55505, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d35)!) x.x.x.x.2472 > 64.233.179.99.80: ., cksum 0xa354 (correct), a ck 3155 win 65241 023252 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 54, id 65198, offset 0, fla gs [none], proto: TCP (6), length: 1470) 64.233.179.99.80 > x.x.x.x.2471: . 26946:28376(1430) ack 1687 win 9270 001610 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1460: (tos 0x0, ttl 54, id 65199, offset 0, fla gs [none], proto: TCP (6), length: 1446) 64.233.179.99.80 > x.x.x.x.2471: P 28376:29782(1406) ack 1687 win 9270 000456 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55506, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d34)!) x.x.x.x.2471 > 64.233.179.99.80: ., cksum 0x1914 (correct), a ck 29782 win 65535 000861 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 54, id 65200, offset 0, fla gs [none], proto: TCP (6), length: 1470) 64.233.179.99.80 > x.x.x.x.2471: . 29782:31212(1430) ack 1687 win 9270 036857 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 116: (tos 0x0, ttl 54, id 65201, offset 0, flag s [none], proto: TCP (6), length: 102) 64.233.179.99.80 > x.x.x.x.2471: P 31212:31274(62) ack 1687 win 9270 000164 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55507, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d33)!) x.x.x.x.2471 > 64.233.179.99.80: ., cksum 0x1340 (correct), a ck 31274 win 65535 _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"