Date: Wed, 7 Nov 2001 13:28:53 -0500 From: GuRU <guru@nubisci.net> To: freebsd-security@freebsd.org Subject: problems with clients behind ipf/ipnat firewall Message-ID: <20011107132853.B7624@nubisci.net>
next in thread | raw e-mail | index | archive | help
Hello folks
I'm having some problems with my firewall setup and could use some insight/advice.
I have a cable modem with a static ip. My gateway box is running -current.
I'm seeing problems with both ipf/ipnat and ipfw/natd, but for the purpose
of this email i'll use my ipf/ipnat configuration. Here's the deal, for all
kinds of access to the internet, everything is slow or times out except ping.
While everything from my gateway box is fine. My gateway box is running
-current, while the clients are running 4.3-Release. Here are some examples
of what I'm seeing:
client box (FreeBSD kaleidoscope.nubisci.net 4.3-RELEASE FreeBSD 4.3-RELEASE
#0: Sat Apr 21 10:54:49 GMT 2001 jkh@narf.osd.bsdi.com:/usr/src/sys/compile/GENERIC i386)
kaleidoscope.nubisci.net:guru% ping -c 10 bantu.cl.msu.edu
PING bantu.cl.msu.edu (35.8.3.18): 56 data bytes
64 bytes from 35.8.3.18: icmp_seq=0 ttl=60 time=4.382 ms
64 bytes from 35.8.3.18: icmp_seq=1 ttl=60 time=3.986 ms
64 bytes from 35.8.3.18: icmp_seq=2 ttl=60 time=3.633 ms
64 bytes from 35.8.3.18: icmp_seq=3 ttl=60 time=5.451 ms
64 bytes from 35.8.3.18: icmp_seq=4 ttl=60 time=3.545 ms
64 bytes from 35.8.3.18: icmp_seq=5 ttl=60 time=3.861 ms
64 bytes from 35.8.3.18: icmp_seq=6 ttl=60 time=3.512 ms
64 bytes from 35.8.3.18: icmp_seq=7 ttl=60 time=4.xxx ms
64 bytes from 35.8.3.18: icmp_seq=8 ttl=60 time=3.750 ms
64 bytes from 35.8.3.18: icmp_seq=9 ttl=60 time=6.950 ms
--- bantu.cl.msu.edu ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.512/4.318/6.950/1.030 ms
gateway box (FreeBSD ganja.nubisci.net 5.0-CURRENT FreeBSD 5.0-CURRENT #51:
Wed Nov 7 09:16:18 EST 2001 root@ganja.nubisci.net:/usr/src/sys/i386/compile/GANJA i386)
ganja.nubisci.net:guru% ping -c 10 bantu.cl.msu.edu
PING bantu.cl.msu.edu (35.8.3.18): 56 data bytes
64 bytes from 35.8.3.18: icmp_seq=0 ttl=61 time=3.469 ms
64 bytes from 35.8.3.18: icmp_seq=1 ttl=61 time=2.890 ms
64 bytes from 35.8.3.18: icmp_seq=2 ttl=61 time=2.795 ms
64 bytes from 35.8.3.18: icmp_seq=3 ttl=61 time=4.070 ms
64 bytes from 35.8.3.18: icmp_seq=4 ttl=61 time=8.061 ms
64 bytes from 35.8.3.18: icmp_seq=5 ttl=61 time=2.877 ms
64 bytes from 35.8.3.18: icmp_seq=6 ttl=61 time=9.180 ms
64 bytes from 35.8.3.18: icmp_seq=7 ttl=61 time=3.613 ms
64 bytes from 35.8.3.18: icmp_seq=8 ttl=61 time=3.202 ms
64 bytes from 35.8.3.18: icmp_seq=9 ttl=61 time=3.788 ms
--- bantu.cl.msu.edu ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.795/4.394/9.180/2.164 ms
Ok now here are the results of traceroute -S
client box:
kaleidoscope.nubisci.net:guru% traceroute -S bantu.cl.msu.edu
traceroute to bantu.cl.msu.edu (35.8.3.18), 30 hops max, 40 byte packets
1 ganja (192.168.0.1) 0.522 ms 0.434 ms 0.390 ms (0% loss)
2 xxx.xxx.xxx.193 (xxx.xxx.xxx.193) 3.462 ms * 5.353 ms (33% loss)
3 * com-rtr-ve61.net.msu.edu (35.12.51.1) 6.028 ms * (66% loss)
4 cc-rtr-ge15.net.msu.edu (35.9.101.13) 7.252 ms * 3.242 ms (33% loss)
5 * bantu.cl.msu.edu (35.8.3.18) 5.814 ms * (66% loss)
as you can see i start seeing collisions once packets hit my upstream gateway :(
now from my gateway box:
ganja.nubisci.net:guru% traceroute -S bantu.cl.msu.edu
traceroute to bantu.cl.msu.edu (35.8.3.18), 64 hops max, 40 byte packets
1 xxx.xxx.xxx.193 (xxx.xxx.xxx.193) 3.466 ms 2.871 ms 5.716 ms (0% loss)
2 com-rtr-ve61.net.msu.edu (35.12.51.1) 2.565 ms 2.781 ms 2.711 ms (0% loss)
3 cc-rtr-ge15.net.msu.edu (35.9.101.13) 2.767 ms 7.298 ms 4.367 ms (0% loss)
4 bantu.cl.msu.edu (35.8.3.18) 2.516 ms 2.121 ms 1.997 ms (0% loss)
no problems whatsoever.
Now i've upgraded nic's, cables, switched the public/private nics and the
results are the same. If it's h/w i'm at a loss at what it can be except
maybe the mobo or the cable modem, but i can't see why as the gateway performs
with out any issues. I've tried many different ipf configurations and even
with very permissive rules, i see the same symptoms :(. Here are my current
ipf.rules and ipnat.rules files:
# /etc/ipf.rules
# ipf.rules
# interface naming:
# fxp0 = internet, addr=xxx.xxx.xxx.215/32
# fxp1 = local private net, addr=192.168.0.1/24
#
# generic to all interfaces
block in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block in log quick proto tcp all with short
block in log quick proto icmp all with frag
pass in quick on fxp0 proto tcp/udp from xxx.xxx.xxx.215/3 to ANY keep state
# rules for the external fxp0 interface
pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 22 flags S keep state
pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 25 flags S keep state
pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 53 flags S keep state
pass in quick on fxp0 proto udp from any to xxx.xxx.xxx.215/32 port = 53 keep state
pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 80 flags S keep state
pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 110 flags S keep state
pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 113 flags S keep state
pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 443 flags S keep state
pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 6000 flags S keep state
block in log on fxp0 all
block return-rst in log quick on fxp0 proto tcp all flags S
block return-icmp-as-dest(port-unr) in log quick on fxp0 proto udp all
# now keep state at the external interface on outgoing traffic:
pass out quick on fxp0 proto tcp from any to any flags S keep state
pass out quick on fxp0 proto udp from any to any keep state
pass out quick on fxp0 proto icmp from any to any keep state
pass out quick on fxp0 from any to any
#
# rules for the internal fxp1 interface
# let the internal and loopback interfaces run free, but
# squelch the netbios stuff so it doesn't create ipf states:
block in quick on fxp1 from any to any port = 137
block in quick on fxp1 from any to any port = 138
block in quick on fxp1 from any to any port = 139
block in quick on fxp1 from any port = 137 to any
block in quick on fxp1 from any port = 138 to any
block in quick on fxp1 from any port = 139 to any
pass in quick on fxp1 all
pass out quick on fxp1 all
#
# no restrictions on loopback
pass in quick on lo0 all
pass out quick on lo0 all
and here's my ipnat.rules
#/etc/ipnat.rules
map fxp0 192.168.0.1/24 -> xxx.xxx.xxx.215/32 proxy port ftp ftp/tcp
map fxp0 192.168.0.1/24 -> xxx.xxx.xxx.215/32 portmap tcp/udp 1025:65000
map fxp0 192.168.0.1/24 -> xxx.xxx.xxx.215/32
any thoughts/ideas/criticisms? :)
#;@0
--
Comparing information and knowledge is like asking whether the fatness
of a pig is more or less green than the designated hitter rule."
-- David Guaspari
<guru@nubisci.net>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011107132853.B7624>