Date: Sat, 3 Nov 2007 18:50:30 -0400 (EDT) From: Gardner Bell <gbell72@rogers.com> To: freebsd-ipfw@freebsd.org Subject: IPFW Problem Message-ID: <932971.53959.qm@web88014.mail.re2.yahoo.com>
next in thread | raw e-mail | index | archive | help
I'm hoping some of you can help me out with the problem that I'm having as I'm not very good when it comes to networking.. I've recently configured 6.3-PRERELEASE with IPFW/NATD to act as my LAN's firewall/router. After I initially access certain http sites, particularly google groups and yahoo web mail I'm noticing subsequent attempts take > 2mins to resolve the next link that I am interested in reading. This appears to be caused by rule 01000 as the counter increases each time I access one of the above mentioned sites. Short of removing this rule, is there any other way that I can fix this issue? Below is a listing of my present ruleset and a tcpdump of a Windows XP machine trying to access a link on google groups. regards, Gardner mx1# ipfw show 00100 76 11134 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 0 0 deny log logamount 10 ip from 127.0.0.1 to any 00300 0 0 deny log logamount 10 ip from any to 127.0.0.1 00400 0 0 deny log logamount 10 ip from any to any not verrevpath in 00500 0 0 deny log logamount 10 ip from any to any ipoptions ssrr,lsrr,rr,ts in 00600 0 0 deny ip from any to any frag 00700 0 0 allow icmp from any to any icmptypes 0,3,11,12 00800 1081 452405 divert 8668 ip from any to any via bge0 00900 0 0 check-state 01000 36 17682 deny tcp from any to any established 01100 2704 853904 allow ip from any to any via bge1 keep-state 01200 262 57586 allow tcp from any to any dst-port 80 keep-state 01300 0 0 allow tcp from any to any dst-port 443 keep-state 01400 102 7752 allow udp from me to any dst-port 123 keep-state 01500 0 0 allow tcp from me to any dst-port 53 setup keep-state 01600 169 30563 allow udp from me to any dst-port 53 keep-state 01700 0 0 allow tcp from any to any dst-port 1863 setup keep-state 01800 0 0 allow log logamount 10 udp from any to 255.255.255.255 dst-port 68 in via bge0 01900 0 0 allow tcp from x.x.x.x to x.x.x.x dst-port 22 keep-state 02000 0 0 deny log logamount 10 ip from any to any 65535 1 396 deny ip from any to any 131219 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55490, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d44)!) x.x.x.x.2471 > 64.233.179.99.80: ., cksum 0x2bf0 (correct), a ck 26946 win 64330 046227 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 63, id 55493, offset 0, flags [DF], proto: TCP (6), length: 48, bad cksum 0 (->2a14)!) x.x.x.x.2474 > 72.14.207.99.80: S, cksum 0xf365 (correct), 22 96693740:2296693740(0) win 65535 <mss 1460,nop,nop,sackOK> 007127 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 56, id 48846, offset 0, flags [none], proto: TCP (6), length: 48) 72.14.207.99.80 > x.x.x.x.2474: S, cksum 0x8043 (correct), 2154814567:2154814567(0 ) ack 2296693741 win 5720 <mss 1430,nop,nop,sackOK> 000323 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55494, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->2a1b)!) x.x.x.x.2474 > 72.14.207.99.80: ., cksum 0xc341 (correct), ac k 1 win 65535 000293 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 1155: (tos 0x0, ttl 63, id 55495, offset 0, fla gs [DF], proto: TCP (6), length: 1141, bad cksum 0 (->25cd)!) x.x.x.x.2474 > 72.14.207.99.80: P 1:1102(1101) ack 1 win 65535 015474 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 56, id 48847, offset 0, flags [none], proto: TCP (6), length: 40) 72.14.207.99.80 > x.x.x.x.2474: ., cksum 0xa0d9 (correct), ack 1102 win 7707 000879 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 383: (tos 0x0, ttl 56, id 48848, offset 0, flag s [none], proto: TCP (6), length: 369) 72.14.207.99.80 > x.x.x.x.2474: P 1:330(329) ack 1102 win 7707 003365 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 54, id 5049, offset 0, flag s [none], proto: TCP (6), length: 1470) 64.233.179.99.80 > x.x.x.x.2472: . 1:1431(1430) ack 944 win 6797 001463 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 54, id 5050, offset 0, flag s [none], proto: TCP (6), length: 1470) 64.233.179.99.80 > x.x.x.x.2472: . 1431:2861(1430) ack 944 win 6797 000478 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55498, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d3c)!) x.x.x.x.2472 > 64.233.179.99.80: ., cksum 0xa354 (correct), a ck 2861 win 65535 000694 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 348: (tos 0x0, ttl 54, id 5051, offset 0, flags [none], proto: TCP (6), length: 334) 64.233.179.99.80 > x.x.x.x.2472: P 2861:3155(294) ack 944 win 6797 002086 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 841: (tos 0x0, ttl 63, id 55503, offset 0, flag s [DF], proto: TCP (6), length: 827, bad cksum 0 (->4a24)!) x.x.x.x.2471 > 64.233.179.99.80: P 900:1687(787) ack 26946 win 64330 039910 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 54, id 65197, offset 0, flags [none], proto: TCP (6), length: 40) 64.233.179.99.80 > x.x.x.x.2471: ., cksum 0xfff1 (correct), ack 1687 win 9270 081626 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55504, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->2a11)!) x.x.x.x.2474 > 72.14.207.99.80: ., cksum 0xbef4 (correct), ac k 330 win 65206 006714 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55505, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d35)!) x.x.x.x.2472 > 64.233.179.99.80: ., cksum 0xa354 (correct), a ck 3155 win 65241 023252 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 54, id 65198, offset 0, fla gs [none], proto: TCP (6), length: 1470) 64.233.179.99.80 > x.x.x.x.2471: . 26946:28376(1430) ack 1687 win 9270 001610 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1460: (tos 0x0, ttl 54, id 65199, offset 0, fla gs [none], proto: TCP (6), length: 1446) 64.233.179.99.80 > x.x.x.x.2471: P 28376:29782(1406) ack 1687 win 9270 000456 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55506, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d34)!) x.x.x.x.2471 > 64.233.179.99.80: ., cksum 0x1914 (correct), a ck 29782 win 65535 000861 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 54, id 65200, offset 0, fla gs [none], proto: TCP (6), length: 1470) 64.233.179.99.80 > x.x.x.x.2471: . 29782:31212(1430) ack 1687 win 9270 036857 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 116: (tos 0x0, ttl 54, id 65201, offset 0, flag s [none], proto: TCP (6), length: 102) 64.233.179.99.80 > x.x.x.x.2471: P 31212:31274(62) ack 1687 win 9270 000164 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55507, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d33)!) x.x.x.x.2471 > 64.233.179.99.80: ., cksum 0x1340 (correct), a ck 31274 win 65535
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?932971.53959.qm>