Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 4 Nov 2007 16:32:01 -0700 (MST)
From:      "Jason Lewis" <me@sharktooth.org>
To:        john.w.court@nokia.com
Cc:        freebsd-ipfw@freebsd.org, gbell72@rogers.com
Subject:   RE: IPFW Problem
Message-ID:  <14144.207.173.157.85.1194219121.squirrel@users.sharktooth.org>
In-Reply-To: <DBA4167E9E1EB44D8476A6F928BE52452B5379@siebe101.NOE.Nokia.com>
References:  <932971.53959.qm@web88014.mail.re2.yahoo.com> <DBA4167E9E1EB44D8476A6F928BE52452B5379@siebe101.NOE.Nokia.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Greg,

My guess would be to look at rule 00800.  I suspect that the network that
you are having problems with is on BGE0.  NAT and keep-state do not play
well with each other.

Jason

On Sun, November 4, 2007 4:14 pm, john.w.court@nokia.com wrote:
> Hmm, I may well be missing something very obvious but rule 01000 seems
> to be doing exactly what it says it will.  Are you sure you meant "deny"
> rather than "allow" on rule 01000 ? It seems very unfreindly to allow
> outgoing TCP connections and then the minute they are established deny
> any return traffic !! Usually the "established" test is there to detect
> valid incoming traffic associated with your own outgoing "safe"
> connections.
>
> Cheers
>
> John
>
> -----Original Message-----
> From: owner-freebsd-ipfw@freebsd.org
> [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of ext Gardner Bell
> Sent: Sunday, November 04, 2007 8:51 AM
> To: freebsd-ipfw@freebsd.org
> Subject: IPFW Problem
>
> I'm hoping some of you can help me out with the problem that I'm having
> as I'm not very good when it comes to networking..
>
> I've recently configured 6.3-PRERELEASE with IPFW/NATD to act as my
> LAN's firewall/router.  After I initially access certain http sites,
> particularly google groups and yahoo web mail I'm noticing subsequent
> attempts take > 2mins to resolve the next link that I am interested in
> reading.
>
> This appears to be caused by rule 01000 as the counter increases each
> time I access one of the above mentioned sites.
>
> Short of removing this rule, is there any other way that I can fix this
> issue?  Below is a listing of my present ruleset and a tcpdump of a
> Windows XP machine trying to access a link on google groups.
>
> regards,
>
> Gardner
>
> mx1# ipfw show
> 00100   76  11134 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
> 00200    0      0 deny log logamount 10 ip from 127.0.0.1 to any
> 00300    0      0 deny log logamount 10 ip from any to 127.0.0.1
> 00400    0      0 deny log logamount 10 ip from any to any not
> verrevpath in
> 00500    0      0 deny log logamount 10 ip from any to any ipoptions
> ssrr,lsrr,rr,ts in
> 00600    0      0 deny ip from any to any frag
> 00700    0      0 allow icmp from any to any icmptypes 0,3,11,12
> 00800 1081 452405 divert 8668 ip from any to any via bge0
> 00900    0      0 check-state
> 01000   36  17682 deny tcp from any to any established
> 01100 2704 853904 allow ip from any to any via bge1 keep-state 01200
> 262  57586 allow tcp from any to any dst-port 80 keep-state
> 01300    0      0 allow tcp from any to any dst-port 443 keep-state
> 01400  102   7752 allow udp from me to any dst-port 123 keep-state
> 01500    0      0 allow tcp from me to any dst-port 53 setup keep-state
> 01600  169  30563 allow udp from me to any dst-port 53 keep-state
> 01700    0      0 allow tcp from any to any dst-port 1863 setup
> keep-state
> 01800    0      0 allow log logamount 10 udp from any to
> 255.255.255.255 dst-port 68 in via bge0
> 01900    0      0 allow tcp from x.x.x.x to x.x.x.x dst-port 22
> keep-state
> 02000    0      0 deny log logamount 10 ip from any to any
> 65535    1    396 deny ip from any to any
>
> 131219 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
> length 54: (tos 0x0, ttl  63, id 55490, offset 0, flags  [DF], proto:
> TCP (6), length: 40, bad cksum 0 (->4d44)!) x.x.x.x.2471
>> 64.233.179.99.80: ., cksum 0x2bf0 (correct), a
> ck 26946 win 64330
> 046227 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
> length 62: (tos 0x0, ttl  63, id 55493, offset 0, flags  [DF], proto:
> TCP (6), length: 48, bad cksum 0 (->2a14)!) x.x.x.x.2474
>> 72.14.207.99.80: S, cksum 0xf365 (correct), 22
> 96693740:2296693740(0) win 65535 <mss 1460,nop,nop,sackOK>
> 007127 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
> length 62: (tos 0x0, ttl  56, id 48846, offset 0, flags  [none], proto:
> TCP (6), length: 48) 72.14.207.99.80 > x.x.x.x.2474: S, cksum 0x8043
> (correct), 2154814567:2154814567(0
> ) ack 2296693741 win 5720 <mss 1430,nop,nop,sackOK>
> 000323 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
> length 54: (tos 0x0, ttl  63, id 55494, offset 0, flags  [DF], proto:
> TCP (6), length: 40, bad cksum 0 (->2a1b)!) x.x.x.x.2474
>> 72.14.207.99.80: ., cksum 0xc341 (correct), ac
> k 1 win 65535
> 000293 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
> length 1155: (tos 0x0, ttl  63, id 55495, offset 0, fla gs [DF], proto:
> TCP (6), length: 1141, bad cksum 0 (->25cd)!)
> x.x.x.x.2474 > 72.14.207.99.80: P 1:1102(1101) ack 1 win
> 65535
> 015474 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
> length 60: (tos 0x0, ttl  56, id 48847, offset 0, flags  [none], proto:
> TCP (6), length: 40) 72.14.207.99.80 > x.x.x.x.2474: ., cksum 0xa0d9
> (correct), ack 1102 win 7707
> 000879 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
> length 383: (tos 0x0, ttl  56, id 48848, offset 0, flag s [none], proto:
> TCP (6), length: 369) 72.14.207.99.80 > x.x.x.x.2474:
> P 1:330(329) ack 1102 win 7707
> 003365 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
> length 1484: (tos 0x0, ttl  54, id 5049, offset 0, flag s [none], proto:
> TCP (6), length: 1470) 64.233.179.99.80 >
> x.x.x.x.2472: . 1:1431(1430) ack 944 win 6797
> 001463 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
> length 1484: (tos 0x0, ttl  54, id 5050, offset 0, flag s [none], proto:
> TCP (6), length: 1470) 64.233.179.99.80 >
> x.x.x.x.2472: . 1431:2861(1430) ack 944 win 6797
> 000478 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
> length 54: (tos 0x0, ttl  63, id 55498, offset 0, flags  [DF], proto:
> TCP (6), length: 40, bad cksum 0 (->4d3c)!) x.x.x.x.2472
>> 64.233.179.99.80: ., cksum 0xa354 (correct), a
> ck 2861 win 65535
> 000694 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
> length 348: (tos 0x0, ttl  54, id 5051, offset 0, flags  [none], proto:
> TCP (6), length: 334) 64.233.179.99.80 > x.x.x.x.2472:
> P 2861:3155(294) ack 944 win 6797
> 002086 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
> length 841: (tos 0x0, ttl  63, id 55503, offset 0, flag s [DF], proto:
> TCP (6), length: 827, bad cksum 0 (->4a24)!)
> x.x.x.x.2471 > 64.233.179.99.80: P 900:1687(787) ack 26946 win 64330
> 039910 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
> length 60: (tos 0x0, ttl  54, id 65197, offset 0, flags  [none], proto:
> TCP (6), length: 40) 64.233.179.99.80 > x.x.x.x.2471:
> ., cksum 0xfff1 (correct), ack 1687 win 9270
> 081626 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
> length 54: (tos 0x0, ttl  63, id 55504, offset 0, flags  [DF], proto:
> TCP (6), length: 40, bad cksum 0 (->2a11)!) x.x.x.x.2474
>> 72.14.207.99.80: ., cksum 0xbef4 (correct), ac
> k 330 win 65206
> 006714 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
> length 54: (tos 0x0, ttl  63, id 55505, offset 0, flags  [DF], proto:
> TCP (6), length: 40, bad cksum 0 (->4d35)!) x.x.x.x.2472
>> 64.233.179.99.80: ., cksum 0xa354 (correct), a
> ck 3155 win 65241
> 023252 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
> length 1484: (tos 0x0, ttl  54, id 65198, offset 0, fla gs [none],
> proto: TCP (6), length: 1470) 64.233.179.99.80 >
> x.x.x.x.2471: . 26946:28376(1430) ack 1687 win 9270 001610
> 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length
> 1460: (tos 0x0, ttl  54, id 65199, offset 0, fla gs [none], proto: TCP
> (6), length: 1446) 64.233.179.99.80 >
> x.x.x.x.2471: P 28376:29782(1406) ack 1687 win 9270
> 000456 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
> length 54: (tos 0x0, ttl  63, id 55506, offset 0, flags  [DF], proto:
> TCP (6), length: 40, bad cksum 0 (->4d34)!) x.x.x.x.2471
>> 64.233.179.99.80: ., cksum 0x1914 (correct), a
> ck 29782 win 65535
> 000861 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
> length 1484: (tos 0x0, ttl  54, id 65200, offset 0, fla gs [none],
> proto: TCP (6), length: 1470) 64.233.179.99.80 >
> x.x.x.x.2471: . 29782:31212(1430) ack 1687 win 9270
> 036857 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
> length 116: (tos 0x0, ttl  54, id 65201, offset 0, flag s [none], proto:
> TCP (6), length: 102) 64.233.179.99.80 > x.x.x.x.2471:
> P 31212:31274(62) ack 1687 win 9270
> 000164 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
> length 54: (tos 0x0, ttl  63, id 55507, offset 0, flags  [DF], proto:
> TCP (6), length: 40, bad cksum 0 (->4d33)!) x.x.x.x.2471
>> 64.233.179.99.80: ., cksum 0x1340 (correct), a
> ck 31274 win 65535
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?14144.207.173.157.85.1194219121.squirrel>