Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 3 Nov 2007 18:50:30 -0400 (EDT)
From:      Gardner Bell <gbell72@rogers.com>
To:        freebsd-ipfw@freebsd.org
Subject:   IPFW Problem
Message-ID:  <932971.53959.qm@web88014.mail.re2.yahoo.com>

Next in thread | Raw E-Mail | Index | Archive | Help
I'm hoping some of you can help me out with the problem that I'm having
as I'm not very good when it comes to networking..

I've recently configured 6.3-PRERELEASE with IPFW/NATD to act as my
LAN's firewall/router.  After I initially access certain http sites,
particularly google groups and yahoo web mail I'm noticing subsequent
attempts take > 2mins to resolve the next link that I am interested in
reading.  

This appears to be caused by rule 01000 as the counter increases each
time I access one of the above mentioned sites.

Short of removing this rule, is there any other way that I can fix this
issue?  Below is a listing of my present ruleset and a tcpdump of a
Windows XP machine trying to access a link on google groups.

regards,

Gardner

mx1# ipfw show
00100   76  11134 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
00200    0      0 deny log logamount 10 ip from 127.0.0.1 to any
00300    0      0 deny log logamount 10 ip from any to 127.0.0.1
00400    0      0 deny log logamount 10 ip from any to any not
verrevpath in
00500    0      0 deny log logamount 10 ip from any to any ipoptions
ssrr,lsrr,rr,ts in
00600    0      0 deny ip from any to any frag
00700    0      0 allow icmp from any to any icmptypes 0,3,11,12
00800 1081 452405 divert 8668 ip from any to any via bge0
00900    0      0 check-state
01000   36  17682 deny tcp from any to any established
01100 2704 853904 allow ip from any to any via bge1 keep-state
01200  262  57586 allow tcp from any to any dst-port 80 keep-state
01300    0      0 allow tcp from any to any dst-port 443 keep-state
01400  102   7752 allow udp from me to any dst-port 123 keep-state
01500    0      0 allow tcp from me to any dst-port 53 setup keep-state
01600  169  30563 allow udp from me to any dst-port 53 keep-state
01700    0      0 allow tcp from any to any dst-port 1863 setup
keep-state
01800    0      0 allow log logamount 10 udp from any to
255.255.255.255 dst-port 68 in via bge0
01900    0      0 allow tcp from x.x.x.x to x.x.x.x dst-port 22
keep-state
02000    0      0 deny log logamount 10 ip from any to any
65535    1    396 deny ip from any to any

131219 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55490, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d44)!) x.x.x.x.2471
> 64.233.179.99.80: ., cksum 0x2bf0 (correct), a
ck 26946 win 64330
046227 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 62: (tos 0x0, ttl  63, id 55493, offset 0, flags
 [DF], proto: TCP (6), length: 48, bad cksum 0 (->2a14)!) x.x.x.x.2474
> 72.14.207.99.80: S, cksum 0xf365 (correct), 22
96693740:2296693740(0) win 65535 <mss 1460,nop,nop,sackOK>
007127 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 62: (tos 0x0, ttl  56, id 48846, offset 0, flags
 [none], proto: TCP (6), length: 48) 72.14.207.99.80 > x.x.x.x.2474: S,
cksum 0x8043 (correct), 2154814567:2154814567(0
) ack 2296693741 win 5720 <mss 1430,nop,nop,sackOK>
000323 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55494, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->2a1b)!) x.x.x.x.2474
> 72.14.207.99.80: ., cksum 0xc341 (correct), ac
k 1 win 65535
000293 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 1155: (tos 0x0, ttl  63, id 55495, offset 0, fla
gs [DF], proto: TCP (6), length: 1141, bad cksum 0 (->25cd)!)
x.x.x.x.2474 > 72.14.207.99.80: P 1:1102(1101) ack 1 win
65535
015474 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 60: (tos 0x0, ttl  56, id 48847, offset 0, flags
 [none], proto: TCP (6), length: 40) 72.14.207.99.80 > x.x.x.x.2474: .,
cksum 0xa0d9 (correct), ack 1102 win 7707
000879 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 383: (tos 0x0, ttl  56, id 48848, offset 0, flag
s [none], proto: TCP (6), length: 369) 72.14.207.99.80 > x.x.x.x.2474:
P 1:330(329) ack 1102 win 7707
003365 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1484: (tos 0x0, ttl  54, id 5049, offset 0, flag
s [none], proto: TCP (6), length: 1470) 64.233.179.99.80 >
x.x.x.x.2472: . 1:1431(1430) ack 944 win 6797
001463 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1484: (tos 0x0, ttl  54, id 5050, offset 0, flag
s [none], proto: TCP (6), length: 1470) 64.233.179.99.80 >
x.x.x.x.2472: . 1431:2861(1430) ack 944 win 6797
000478 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55498, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d3c)!) x.x.x.x.2472
> 64.233.179.99.80: ., cksum 0xa354 (correct), a
ck 2861 win 65535
000694 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 348: (tos 0x0, ttl  54, id 5051, offset 0, flags
 [none], proto: TCP (6), length: 334) 64.233.179.99.80 > x.x.x.x.2472:
P 2861:3155(294) ack 944 win 6797
002086 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 841: (tos 0x0, ttl  63, id 55503, offset 0, flag
s [DF], proto: TCP (6), length: 827, bad cksum 0 (->4a24)!)
x.x.x.x.2471 > 64.233.179.99.80: P 900:1687(787) ack 26946
win 64330
039910 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 60: (tos 0x0, ttl  54, id 65197, offset 0, flags
 [none], proto: TCP (6), length: 40) 64.233.179.99.80 > x.x.x.x.2471:
., cksum 0xfff1 (correct), ack 1687 win 9270
081626 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55504, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->2a11)!) x.x.x.x.2474
> 72.14.207.99.80: ., cksum 0xbef4 (correct), ac
k 330 win 65206
006714 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55505, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d35)!) x.x.x.x.2472
> 64.233.179.99.80: ., cksum 0xa354 (correct), a
ck 3155 win 65241
023252 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1484: (tos 0x0, ttl  54, id 65198, offset 0, fla
gs [none], proto: TCP (6), length: 1470) 64.233.179.99.80 >
x.x.x.x.2471: . 26946:28376(1430) ack 1687 win 9270
001610 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1460: (tos 0x0, ttl  54, id 65199, offset 0, fla
gs [none], proto: TCP (6), length: 1446) 64.233.179.99.80 >
x.x.x.x.2471: P 28376:29782(1406) ack 1687 win 9270
000456 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55506, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d34)!) x.x.x.x.2471
> 64.233.179.99.80: ., cksum 0x1914 (correct), a
ck 29782 win 65535
000861 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1484: (tos 0x0, ttl  54, id 65200, offset 0, fla
gs [none], proto: TCP (6), length: 1470) 64.233.179.99.80 >
x.x.x.x.2471: . 29782:31212(1430) ack 1687 win 9270
036857 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 116: (tos 0x0, ttl  54, id 65201, offset 0, flag
s [none], proto: TCP (6), length: 102) 64.233.179.99.80 > x.x.x.x.2471:
P 31212:31274(62) ack 1687 win 9270
000164 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55507, offset 0, flags
 [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d33)!) x.x.x.x.2471
> 64.233.179.99.80: ., cksum 0x1340 (correct), a
ck 31274 win 65535



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?932971.53959.qm>