Date: Sat, 20 Feb 1999 09:56:59 -0500 From: Drew Derbyshire <software@kew.com> To: questions@freebsd.org Cc: edk@kew.com Subject: natd on 2.2.8 kills network performance Message-ID: <36CECD3B.A6AB4A6A@kew.com>
next in thread | raw e-mail | index | archive | help
I've got to be missing something here ...
I've been running natd and firewall rules on my primary firewall (pandora)
since ~ 2.2.2; Trying to repeat the success on two other systems (mash and
sonata), both at 2.2.8, just doesn't work cleanly, and I can't tell why.
The sessions through the natd interface seem to hang for tens of seconds,
during which time netstat shows a few characters queued for sending. Sessions
through other interfaces are not affected, and the CPU is idle.
Various small configuration items:
* Both pandora and mash have the wide-dhcp client on the natd interface.
sonata doesn't.
* pandora uses a EtherLink III
* sonata uses a SMC EtherEZ
* mash uses a Etherlink Fast XL
* pandora was an upgrade install from the 2.2.7 CD-ROM's
* sonata was upgraded from 2.2.7 to 2.2.8 via a makeworld in December
* mash was a clean install from the 2.2.8 CD-ROM's.
pandora shows the divert socket active in netstat:
diver 0 0 *.natd *.*
sonata and mash do not..
The sonata 2.2.8 system has these kernel options:
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #print information about
options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
options IPDIVERT #divert sockets
And it has these rules (ed0 is the natd interface):
01000 allow ip from any to any via lo0
02000 deny ip from any to 127.0.0.0/8
02100 divert 8668 ip from any to any via ed0
02200 allow tcp from any to any in recv ed0
02300 allow udp from any to any in recv ed0
02400 allow ip from any to any in recv ed0
02500 allow tcp from any to any out xmit ed0
02600 allow udp from any to any out xmit ed0
02700 allow ip from any to any out xmit ed0
65000 allow ip from any to any
65535 deny ip from any to any
natd is involved thusly:
natd -n ed0
The pandora, the working 2.2.7 system, with standard kernel options:
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #print information about
options "IPFIREWALL_VERBOSE_LIMIT=200" #limit verbosity
options IPDIVERT #divert sockets
and some reasonably tight rules:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 divert 8668 tcp from any to 24.128.94.182 1024-65535 recv ep0
00400 divert 8668 tcp from not 24.128.94.182 1024-65535 to not 24.128.94.182 via ep0
00500 divert 8668 tcp from any to 24.128.94.182 540 recv ep0
00600 divert 8668 tcp from 192.168.205.1 540 to any via ep0
00700 deny ip from 192.168.205.0/24 to any in recv ep0
00800 deny ip from 192.168.0.0/16 to any in recv ep0
00900 deny ip from 172.16.0.0/12 to any via ep0
01000 deny ip from any to 172.16.0.0/12 via ep0
01100 deny ip from 10.0.0.0/8 to any via ep0
01200 deny ip from any to 10.0.0.0/8 via ep0
01300 deny ip from any to 224.0.0.0/3
10000 allow tcp from any to any via ed0
10100 allow tcp from any to any established
.
.
.
ep0 is the standard "public" interface. natd itself is configured to run
thusly:
natd -config /usr/local/etc/natd.conf -n ep0
# /usr/local/etc/natd.conf
redirect_port tcp 192.168.205.1:540 540
dynamic yes
I did try -dynamic (and a configuration file with dynamic yes) on sonata, no
joy.
Suggestions?
--
Drew Derbyshire UUPC/extended e-mail: software@kew.com
Telephone: 617-279-9812
Bring back ROSCOE release 4.1!
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36CECD3B.A6AB4A6A>