Date: Sun, 4 Nov 2007 16:32:01 -0700 (MST) From: "Jason Lewis" <me@sharktooth.org> To: john.w.court@nokia.com Cc: freebsd-ipfw@freebsd.org, gbell72@rogers.com Subject: RE: IPFW Problem Message-ID: <14144.207.173.157.85.1194219121.squirrel@users.sharktooth.org> In-Reply-To: <DBA4167E9E1EB44D8476A6F928BE52452B5379@siebe101.NOE.Nokia.com> References: <932971.53959.qm@web88014.mail.re2.yahoo.com> <DBA4167E9E1EB44D8476A6F928BE52452B5379@siebe101.NOE.Nokia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Greg, My guess would be to look at rule 00800. I suspect that the network that you are having problems with is on BGE0. NAT and keep-state do not play well with each other. Jason On Sun, November 4, 2007 4:14 pm, john.w.court@nokia.com wrote: > Hmm, I may well be missing something very obvious but rule 01000 seems > to be doing exactly what it says it will. Are you sure you meant "deny" > rather than "allow" on rule 01000 ? It seems very unfreindly to allow > outgoing TCP connections and then the minute they are established deny > any return traffic !! Usually the "established" test is there to detect > valid incoming traffic associated with your own outgoing "safe" > connections. > > Cheers > > John > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of ext Gardner Bell > Sent: Sunday, November 04, 2007 8:51 AM > To: freebsd-ipfw@freebsd.org > Subject: IPFW Problem > > I'm hoping some of you can help me out with the problem that I'm having > as I'm not very good when it comes to networking.. > > I've recently configured 6.3-PRERELEASE with IPFW/NATD to act as my > LAN's firewall/router. After I initially access certain http sites, > particularly google groups and yahoo web mail I'm noticing subsequent > attempts take > 2mins to resolve the next link that I am interested in > reading. > > This appears to be caused by rule 01000 as the counter increases each > time I access one of the above mentioned sites. > > Short of removing this rule, is there any other way that I can fix this > issue? Below is a listing of my present ruleset and a tcpdump of a > Windows XP machine trying to access a link on google groups. > > regards, > > Gardner > > mx1# ipfw show > 00100 76 11134 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 > 00200 0 0 deny log logamount 10 ip from 127.0.0.1 to any > 00300 0 0 deny log logamount 10 ip from any to 127.0.0.1 > 00400 0 0 deny log logamount 10 ip from any to any not > verrevpath in > 00500 0 0 deny log logamount 10 ip from any to any ipoptions > ssrr,lsrr,rr,ts in > 00600 0 0 deny ip from any to any frag > 00700 0 0 allow icmp from any to any icmptypes 0,3,11,12 > 00800 1081 452405 divert 8668 ip from any to any via bge0 > 00900 0 0 check-state > 01000 36 17682 deny tcp from any to any established > 01100 2704 853904 allow ip from any to any via bge1 keep-state 01200 > 262 57586 allow tcp from any to any dst-port 80 keep-state > 01300 0 0 allow tcp from any to any dst-port 443 keep-state > 01400 102 7752 allow udp from me to any dst-port 123 keep-state > 01500 0 0 allow tcp from me to any dst-port 53 setup keep-state > 01600 169 30563 allow udp from me to any dst-port 53 keep-state > 01700 0 0 allow tcp from any to any dst-port 1863 setup > keep-state > 01800 0 0 allow log logamount 10 udp from any to > 255.255.255.255 dst-port 68 in via bge0 > 01900 0 0 allow tcp from x.x.x.x to x.x.x.x dst-port 22 > keep-state > 02000 0 0 deny log logamount 10 ip from any to any > 65535 1 396 deny ip from any to any > > 131219 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), > length 54: (tos 0x0, ttl 63, id 55490, offset 0, flags [DF], proto: > TCP (6), length: 40, bad cksum 0 (->4d44)!) x.x.x.x.2471 >> 64.233.179.99.80: ., cksum 0x2bf0 (correct), a > ck 26946 win 64330 > 046227 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), > length 62: (tos 0x0, ttl 63, id 55493, offset 0, flags [DF], proto: > TCP (6), length: 48, bad cksum 0 (->2a14)!) x.x.x.x.2474 >> 72.14.207.99.80: S, cksum 0xf365 (correct), 22 > 96693740:2296693740(0) win 65535 <mss 1460,nop,nop,sackOK> > 007127 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), > length 62: (tos 0x0, ttl 56, id 48846, offset 0, flags [none], proto: > TCP (6), length: 48) 72.14.207.99.80 > x.x.x.x.2474: S, cksum 0x8043 > (correct), 2154814567:2154814567(0 > ) ack 2296693741 win 5720 <mss 1430,nop,nop,sackOK> > 000323 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), > length 54: (tos 0x0, ttl 63, id 55494, offset 0, flags [DF], proto: > TCP (6), length: 40, bad cksum 0 (->2a1b)!) x.x.x.x.2474 >> 72.14.207.99.80: ., cksum 0xc341 (correct), ac > k 1 win 65535 > 000293 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), > length 1155: (tos 0x0, ttl 63, id 55495, offset 0, fla gs [DF], proto: > TCP (6), length: 1141, bad cksum 0 (->25cd)!) > x.x.x.x.2474 > 72.14.207.99.80: P 1:1102(1101) ack 1 win > 65535 > 015474 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), > length 60: (tos 0x0, ttl 56, id 48847, offset 0, flags [none], proto: > TCP (6), length: 40) 72.14.207.99.80 > x.x.x.x.2474: ., cksum 0xa0d9 > (correct), ack 1102 win 7707 > 000879 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), > length 383: (tos 0x0, ttl 56, id 48848, offset 0, flag s [none], proto: > TCP (6), length: 369) 72.14.207.99.80 > x.x.x.x.2474: > P 1:330(329) ack 1102 win 7707 > 003365 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), > length 1484: (tos 0x0, ttl 54, id 5049, offset 0, flag s [none], proto: > TCP (6), length: 1470) 64.233.179.99.80 > > x.x.x.x.2472: . 1:1431(1430) ack 944 win 6797 > 001463 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), > length 1484: (tos 0x0, ttl 54, id 5050, offset 0, flag s [none], proto: > TCP (6), length: 1470) 64.233.179.99.80 > > x.x.x.x.2472: . 1431:2861(1430) ack 944 win 6797 > 000478 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), > length 54: (tos 0x0, ttl 63, id 55498, offset 0, flags [DF], proto: > TCP (6), length: 40, bad cksum 0 (->4d3c)!) x.x.x.x.2472 >> 64.233.179.99.80: ., cksum 0xa354 (correct), a > ck 2861 win 65535 > 000694 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), > length 348: (tos 0x0, ttl 54, id 5051, offset 0, flags [none], proto: > TCP (6), length: 334) 64.233.179.99.80 > x.x.x.x.2472: > P 2861:3155(294) ack 944 win 6797 > 002086 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), > length 841: (tos 0x0, ttl 63, id 55503, offset 0, flag s [DF], proto: > TCP (6), length: 827, bad cksum 0 (->4a24)!) > x.x.x.x.2471 > 64.233.179.99.80: P 900:1687(787) ack 26946 win 64330 > 039910 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), > length 60: (tos 0x0, ttl 54, id 65197, offset 0, flags [none], proto: > TCP (6), length: 40) 64.233.179.99.80 > x.x.x.x.2471: > ., cksum 0xfff1 (correct), ack 1687 win 9270 > 081626 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), > length 54: (tos 0x0, ttl 63, id 55504, offset 0, flags [DF], proto: > TCP (6), length: 40, bad cksum 0 (->2a11)!) x.x.x.x.2474 >> 72.14.207.99.80: ., cksum 0xbef4 (correct), ac > k 330 win 65206 > 006714 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), > length 54: (tos 0x0, ttl 63, id 55505, offset 0, flags [DF], proto: > TCP (6), length: 40, bad cksum 0 (->4d35)!) x.x.x.x.2472 >> 64.233.179.99.80: ., cksum 0xa354 (correct), a > ck 3155 win 65241 > 023252 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), > length 1484: (tos 0x0, ttl 54, id 65198, offset 0, fla gs [none], > proto: TCP (6), length: 1470) 64.233.179.99.80 > > x.x.x.x.2471: . 26946:28376(1430) ack 1687 win 9270 001610 > 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length > 1460: (tos 0x0, ttl 54, id 65199, offset 0, fla gs [none], proto: TCP > (6), length: 1446) 64.233.179.99.80 > > x.x.x.x.2471: P 28376:29782(1406) ack 1687 win 9270 > 000456 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), > length 54: (tos 0x0, ttl 63, id 55506, offset 0, flags [DF], proto: > TCP (6), length: 40, bad cksum 0 (->4d34)!) x.x.x.x.2471 >> 64.233.179.99.80: ., cksum 0x1914 (correct), a > ck 29782 win 65535 > 000861 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), > length 1484: (tos 0x0, ttl 54, id 65200, offset 0, fla gs [none], > proto: TCP (6), length: 1470) 64.233.179.99.80 > > x.x.x.x.2471: . 29782:31212(1430) ack 1687 win 9270 > 036857 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), > length 116: (tos 0x0, ttl 54, id 65201, offset 0, flag s [none], proto: > TCP (6), length: 102) 64.233.179.99.80 > x.x.x.x.2471: > P 31212:31274(62) ack 1687 win 9270 > 000164 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), > length 54: (tos 0x0, ttl 63, id 55507, offset 0, flags [DF], proto: > TCP (6), length: 40, bad cksum 0 (->4d33)!) x.x.x.x.2471 >> 64.233.179.99.80: ., cksum 0x1340 (correct), a > ck 31274 win 65535 > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14144.207.173.157.85.1194219121.squirrel>