From owner-freebsd-ipfw@FreeBSD.ORG  Sat Nov  3 23:17:34 2007
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8788716A41B
	for <freebsd-ipfw@freebsd.org>; Sat,  3 Nov 2007 23:17:34 +0000 (UTC)
	(envelope-from gbell72@rogers.com)
Received: from web88014.mail.re2.yahoo.com (web88014.mail.re2.yahoo.com
	[206.190.39.219])
	by mx1.freebsd.org (Postfix) with SMTP id 22EF213C4AA
	for <freebsd-ipfw@freebsd.org>; Sat,  3 Nov 2007 23:17:33 +0000 (UTC)
	(envelope-from gbell72@rogers.com)
Received: (qmail 55202 invoked by uid 60001); 3 Nov 2007 22:50:31 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=rogers.com;
	h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
	b=K6XLW6bLeCDah/I+3h+TpWiUiziU8qrvcpeuNHFV9Ub+5yP2k15qQxljXQk8mZmFUURYzz5Q4tLfCzJ8gZBMr/CHAlycgpsggxUinjz0rvIsqB9BP2Q8AZpqF3jCtk0fl+ge8zArRyeHEzm3ja3kkKrMfe6jx7zd23Ul5wsxynQ=;
X-YMail-OSG: DY1Mhw0VM1lLf9wQ67_duEbAEDGWtTMRochYuCiS3KYn_z3ZvMEUPuc_zu8MWl.HfNd8fLxXtg--
Received: from [99.233.189.147] by web88014.mail.re2.yahoo.com via HTTP;
	Sat, 03 Nov 2007 18:50:30 EDT
Date: Sat, 3 Nov 2007 18:50:30 -0400 (EDT)
From: Gardner Bell <gbell72@rogers.com>
To: freebsd-ipfw@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <932971.53959.qm@web88014.mail.re2.yahoo.com>
Subject: IPFW Problem
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2007 23:17:34 -0000

I'm hoping some of you can help me out with the problem that I'm having
as I'm not very good when it comes to networking..

I've recently configured 6.3-PRERELEASE with IPFW/NATD to act as my
LAN's firewall/router.  After I initially access certain http sites,
particularly google groups and yahoo web mail I'm noticing subsequent
attempts take > 2mins to resolve the next link that I am interested in
reading.  

This appears to be caused by rule 01000 as the counter increases each
time I access one of the above mentioned sites.

Short of removing this rule, is there any other way that I can fix this
issue?  Below is a listing of my present ruleset and a tcpdump of a
Windows XP machine trying to access a link on google groups.

regards,

Gardner

mx1# ipfw show
00100   76  11134 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
00200    0      0 deny log logamount 10 ip from 127.0.0.1 to any
00300    0      0 deny log logamount 10 ip from any to 127.0.0.1
00400    0      0 deny log logamount 10 ip from any to any not
verrevpath in
00500    0      0 deny log logamount 10 ip from any to any ipoptions
ssrr,lsrr,rr,ts in
00600    0      0 deny ip from any to any frag
00700    0      0 allow icmp from any to any icmptypes 0,3,11,12
00800 1081 452405 divert 8668 ip from any to any via bge0
00900    0      0 check-state
01000   36  17682 deny tcp from any to any established
01100 2704 853904 allow ip from any to any via bge1 keep-state
01200  262  57586 allow tcp from any to any dst-port 80 keep-state
01300    0      0 allow tcp from any to any dst-port 443 keep-state
01400  102   7752 allow udp from me to any dst-port 123 keep-state
01500    0      0 allow tcp from me to any dst-port 53 setup keep-state
01600  169  30563 allow udp from me to any dst-port 53 keep-state
01700    0      0 allow tcp from any to any dst-port 1863 setup
keep-state
01800    0      0 allow log logamount 10 udp from any to
255.255.255.255 dst-port 68 in via bge0
01900    0      0 allow tcp from x.x.x.x to x.x.x.x dst-port 22
keep-state
02000    0      0 deny log logamount 10 ip from any to any
65535    1    396 deny ip from any to any

131219 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55490, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d44)!) x.x.x.x.2471
> 64.233.179.99.80: ., cksum 0x2bf0 (correct), a
ck 26946 win 64330
046227 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 62: (tos 0x0, ttl  63, id 55493, offset 0, flags
 [DF], proto: TCP (6), length: 48, bad cksum 0 (->2a14)!) x.x.x.x.2474
> 72.14.207.99.80: S, cksum 0xf365 (correct), 22
96693740:2296693740(0) win 65535 <mss 1460,nop,nop,sackOK>
007127 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 62: (tos 0x0, ttl  56, id 48846, offset 0, flags
 [none], proto: TCP (6), length: 48) 72.14.207.99.80 > x.x.x.x.2474: S,
cksum 0x8043 (correct), 2154814567:2154814567(0
) ack 2296693741 win 5720 <mss 1430,nop,nop,sackOK>
000323 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55494, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->2a1b)!) x.x.x.x.2474
> 72.14.207.99.80: ., cksum 0xc341 (correct), ac
k 1 win 65535
000293 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 1155: (tos 0x0, ttl  63, id 55495, offset 0, fla
gs [DF], proto: TCP (6), length: 1141, bad cksum 0 (->25cd)!)
x.x.x.x.2474 > 72.14.207.99.80: P 1:1102(1101) ack 1 win
65535
015474 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 60: (tos 0x0, ttl  56, id 48847, offset 0, flags
 [none], proto: TCP (6), length: 40) 72.14.207.99.80 > x.x.x.x.2474: .,
cksum 0xa0d9 (correct), ack 1102 win 7707
000879 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 383: (tos 0x0, ttl  56, id 48848, offset 0, flag
s [none], proto: TCP (6), length: 369) 72.14.207.99.80 > x.x.x.x.2474:
P 1:330(329) ack 1102 win 7707
003365 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1484: (tos 0x0, ttl  54, id 5049, offset 0, flag
s [none], proto: TCP (6), length: 1470) 64.233.179.99.80 >
x.x.x.x.2472: . 1:1431(1430) ack 944 win 6797
001463 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1484: (tos 0x0, ttl  54, id 5050, offset 0, flag
s [none], proto: TCP (6), length: 1470) 64.233.179.99.80 >
x.x.x.x.2472: . 1431:2861(1430) ack 944 win 6797
000478 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55498, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d3c)!) x.x.x.x.2472
> 64.233.179.99.80: ., cksum 0xa354 (correct), a
ck 2861 win 65535
000694 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 348: (tos 0x0, ttl  54, id 5051, offset 0, flags
 [none], proto: TCP (6), length: 334) 64.233.179.99.80 > x.x.x.x.2472:
P 2861:3155(294) ack 944 win 6797
002086 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 841: (tos 0x0, ttl  63, id 55503, offset 0, flag
s [DF], proto: TCP (6), length: 827, bad cksum 0 (->4a24)!)
x.x.x.x.2471 > 64.233.179.99.80: P 900:1687(787) ack 26946
win 64330
039910 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 60: (tos 0x0, ttl  54, id 65197, offset 0, flags
 [none], proto: TCP (6), length: 40) 64.233.179.99.80 > x.x.x.x.2471:
., cksum 0xfff1 (correct), ack 1687 win 9270
081626 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55504, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->2a11)!) x.x.x.x.2474
> 72.14.207.99.80: ., cksum 0xbef4 (correct), ac
k 330 win 65206
006714 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55505, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d35)!) x.x.x.x.2472
> 64.233.179.99.80: ., cksum 0xa354 (correct), a
ck 3155 win 65241
023252 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1484: (tos 0x0, ttl  54, id 65198, offset 0, fla
gs [none], proto: TCP (6), length: 1470) 64.233.179.99.80 >
x.x.x.x.2471: . 26946:28376(1430) ack 1687 win 9270
001610 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1460: (tos 0x0, ttl  54, id 65199, offset 0, fla
gs [none], proto: TCP (6), length: 1446) 64.233.179.99.80 >
x.x.x.x.2471: P 28376:29782(1406) ack 1687 win 9270
000456 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55506, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d34)!) x.x.x.x.2471
> 64.233.179.99.80: ., cksum 0x1914 (correct), a
ck 29782 win 65535
000861 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1484: (tos 0x0, ttl  54, id 65200, offset 0, fla
gs [none], proto: TCP (6), length: 1470) 64.233.179.99.80 >
x.x.x.x.2471: . 29782:31212(1430) ack 1687 win 9270
036857 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 116: (tos 0x0, ttl  54, id 65201, offset 0, flag
s [none], proto: TCP (6), length: 102) 64.233.179.99.80 > x.x.x.x.2471:
P 31212:31274(62) ack 1687 win 9270
000164 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55507, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d33)!) x.x.x.x.2471
> 64.233.179.99.80: ., cksum 0x1340 (correct), a
ck 31274 win 65535