ipfw2 problem

Ganbold ganbold at micom.mng.net
Sun Jan 4 01:28:40 PST 2004 

Hi,

I'm using FreeBSD 5.2-current machine for firewall. It is configured as a 
bridged ipfw2 firewall.
Also this machine works a a traffic shaper using ip dummynet features.
The machine has 2GHz Pentium 4 CPU and 128MB RAM and 3 Intel Pro 100MB 
cards. 2 cards are used
for bridging.
Everything works fine, except sometimes it seems to be dropping some packets.
When I try to browse the web, sometimes it just shows error page. This 
situation happens during peak hours
So my guess is firewall drops packets and maybe the machine needs more RAM.
Another guess is I'm using stateful features of ipfw2 and when dynamic rule 
count reaches maximum
it just drops packets waiting to be deleted some dynamic rules. Am I right? 
Can somebody explain
me what will happen when  net.inet.ip.fw.dyn_count reaches 
net.inet.ip.fw.dyn_max value?

Also I tried to increase the maximum value up to 8192 but it seems no result.

# Added in sysctl.conf
net.inet.ip.fw.dyn_max=8192

I attached my /etc/rc.firewall and /etc/sysctl.conf files.
Can somebody tell me where I did wrong in config files? Should I increase 
the RAM?
Or should I set smaller life time for dynamic rules?

I hope somebody in this list point me to the right direction.

Part of the /etc/rc.firewall
-----------------------------------------------------------------------------------------------------------------------------
...
[Cc][Uu][Ss][Tt][Oo][Mm])

${fwcmd} -f flush
${fwcmd} -f pipe flush

# Things that we have kept state on before get to go through in a hurry
${fwcmd} add 10 check-state

${fwcmd} add 21 deny all from 10.0.0.0/8 to any via fxp0
${fwcmd} add 23 deny all from 172.16.0.0/12 to any via fxp0
${fwcmd} add 25 deny all from 192.168.0.0/16 to any via fxp0

${fwcmd} add 34 deny all from 127.0.0.0/8 to any in via fxp0

################### stop Welcia/Nachi ###########################
${fwcmd} add 35 deny icmp from any to any iplen 92

####################### DUMMYNET config #########################

##################### 64KB #######################################
#
# selenge
${fwcmd} pipe 41 config bw 64kbit/s
${fwcmd} pipe 42 config bw 64kbit/s
${fwcmd} add 62 pipe 41 all from 202.179.x.x/30 to any in via fxp1
${fwcmd} add 63 pipe 42 all from any to 202.179.x.x/30 in via fxp0

# khentii
${fwcmd} pipe 43 config bw 64kbit/s
${fwcmd} pipe 44 config bw 64kbit/s
${fwcmd} add 64 pipe 43 all from 202.179.x.x/30 to any in via fxp1
${fwcmd} add 65 pipe 44 all from any to 202.179.x.x/30 in via fxp0

# arkhangai
${fwcmd} pipe 45 config bw 64kbit/s
${fwcmd} pipe 46 config bw 64kbit/s
${fwcmd} add 66 pipe 45 all from 202.179.x.x/30 to any in via fxp1
${fwcmd} add 67 pipe 46 all from any to 202.179.x.x/30 in via fxp0

# traffic police
${fwcmd} pipe 47 config bw 64kbit/s
${fwcmd} pipe 48 config bw 64kbit/s
${fwcmd} add 68 pipe 47 all from 202.179.x.x/30,202.179.x.x/28 to any in 
via fxp1
${fwcmd} add 69 pipe 48 all from any to 202.179.x.x/30,202.179.x.x/28 in 
via fxp0

##################### 128KB #######################################
#
# glencore
${fwcmd} pipe 49 config bw 128kbit/s
${fwcmd} pipe 50 config bw 128kbit/s
${fwcmd} add 70 pipe 49 all from 202.179.x.x/29,202.179.x.x/30 to any in 
via fxp1
${fwcmd} add 71 pipe 50 all from any to 202.179.x.x/29,202.179.x.x/30 in 
via fxp0

# ikh tenger
${fwcmd} pipe 51 config bw 128kbit/s
${fwcmd} pipe 52 config bw 128kbit/s
${fwcmd} add 72 pipe 51 all from 202.179.x.x/29 to any in via fxp1
${fwcmd} add 73 pipe 52 all from any to 202.179.x.x/29 in via fxp0

# xas
${fwcmd} pipe 53 config bw 128kbit/s
${fwcmd} pipe 54 config bw 128kbit/s
${fwcmd} add 74 pipe 53 all from 202.179.x.x/29,202.179.x.x/30 to any in 
via fxp1
${fwcmd} add 75 pipe 54 all from any to 202.179.x.x/29,202.179.x.x/30 in 
via fxp0


##################### 256KB #######################################
#mtc
${fwcmd} pipe 55 config bw 256kbit/s
${fwcmd} pipe 56 config bw 256kbit/s

${fwcmd} add 76 pipe 55 all from 202.179.x.x/30,202.179.x.x/29 to any in 
via fxp1
${fwcmd} add 77 pipe 56 all from any to 202.179.x.x/30,202.179.x.x/29 in 
via fxp0

#gtz
${fwcmd} pipe 57 config bw 256kbit/s
${fwcmd} pipe 58 config bw 256kbit/s

${fwcmd} add 78 pipe 57 all from 202.179.x.x/28 to any in via fxp1
${fwcmd} add 79 pipe 58 all from any to 202.179.x.x/28 in via fxp0

######################### STANDARDS #########################
# Allow TCP through if setup succeeded
${fwcmd} add 100 pass tcp from any to any established

# Allowing connections through localhost.
${fwcmd} add 300 pass all from any to any via lo0

# pass ARP
${fwcmd} add 301 allow layer2 mac-type arp

# Allow the inside hosts to say anything they want
${fwcmd} add pass tcp from any to any in via fxp1 setup keep-state
${fwcmd} add pass udp from any to any in via fxp1 keep-state
${fwcmd} add pass ip from any to any in via fxp1

# Allowing SSH,web connection and LOG all incoming connections.
${fwcmd} add pass tcp from any to any 22 in via fxp0 setup keep-state
${fwcmd} add pass tcp from any to any 80,443 in via fxp0 setup keep-state

# Allowing and LOG all INCOMING, outgoing FTP, telnet, SMTP, POP3, ident, 
imap conections.
${fwcmd} add pass tcp from any to any 20-21,23,25,110,113,143 in via 
fxp0  setup keep-state
${fwcmd} add pass udp from any to any 20-21,23,25,110,113,143 in via fxp0 
keep-state

# Pass the "quarantine" range
${fwcmd} add pass tcp from any to any 18198,18211,40000-65535 in via fxp0 
setup keep-state
${fwcmd} add pass udp from any to any 18198,18211,40000-65535 in via fxp0 
keep-state

# MSN, Yahoo ports
${fwcmd} add pass tcp from any to any 
1863,2001-2120,6801,6891-6901,7801-7825 in via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 
1863,2001-2120,6801,6891-6901,7801-7825 in via fxp0 keep-state

# additional h323,yahoo,remote admin,vnc ports
${fwcmd} add pass tcp from any to any 1719-1725,2082,5000-6000,8010,8100 in 
via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 1719-1725,2082,5000-6000,8010,8100 in 
via fxp0 keep-state

# Allowing mysql,Jabber,IRC,chat.
${fwcmd} add pass tcp from any to any 3306,4899,6155,6502,6667,8000 in via 
fxp0  setup keep-state
${fwcmd} add pass udp from any to any 3306,4899,6155,6502,6667,8000 in via 
fxp0 keep-state

# allow radius
${fwcmd} add pass tcp from any to any 1645,1646,1812,1813,9000-9002 in via 
fxp0  setup keep-state
${fwcmd} add pass udp from any to any 1645,1646,1812,1813,9000-9002 in via 
fxp0 keep-state

# additional eMule ports
${fwcmd} add pass tcp from any to any 2323,4242,4243,4661-4672,7700-7800 in 
via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 2323,4242,4243,4661-4672,7700-7800 in 
via fxp0 keep-state

# Allowing DNS lookups.
${fwcmd} add pass tcp from any to any 53 in via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 53 in via fxp0 keep-state
${fwcmd} add pass udp from any 53 to any in via fxp0 keep-state

${fwcmd} add pass icmp from 202.179.x.x/19 to any icmptypes 0,3,4,8,11,12
${fwcmd} add pass icmp from not 202.179.x.x/19 to 202.179.x.x/19 icmptypes 
0,3,4,11,12

# Allowing SOCKS,HTTP proxy to outside only
${fwcmd} add pass tcp from 202.179.x.x/19 to any 1080,8080 in via 
fxp0  setup keep-state
${fwcmd} add pass udp from 202.179.x.x/19 to any 1080,8080 in via fxp0 
keep-state

# Allow the bridge machine to say anything it wants
${fwcmd} add pass tcp from 202.179.x.x to any setup keep-state
${fwcmd} add pass udp from  202.179.x.x  to any keep-state
${fwcmd} add pass ip from  202.179.x.x  to any

${fwcmd} add pass tcp from any to any in via fxp2 setup keep-state
${fwcmd} add pass udp from any to any in via fxp2 keep-state
${fwcmd} add pass ip from any to any in via fxp2

# Allow NTP queries out in the world
${fwcmd} add pass udp from any to any 123 in via fxp0 keep-state

# allow multicast
${fwcmd} add pass all from 202.179.x.x/19 to 224.0.0.0/4 via fxp0
${fwcmd} add pass all from 224.0.0.0/4 to 202.179.x.x/19 via fxp0

# Allowing OSPF
${fwcmd} add pass ospf from any to any

# Allowing GRE
${fwcmd} add pass gre from any to any

# Allowing IP fragments to pass through.
${fwcmd} add 65001 pass all from any to any frag

# Everything else is suspect
${fwcmd} add drop log ip from any to any
...
-----------------------------------------------------------------------------------------------------------------------------

/etc/sysctl.conf file.
-----------------------------------------------------------------------------------------------------------------------------
net.link.ether.bridge_cfg=fxp0:0,fxp1:0
net.link.ether.bridge_ipfw=1
net.link.ether.bridge.enable=1

net.inet.ip.fw.one_pass=0
security.bsd.see_other_uids=0
net.link.ether.inet.max_age=1200
kern.ipc.somaxconn=1024
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=32768

net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0

# Stop broadcast ECHO response
net.inet.icmp.bmcastecho=0

# Stop other broadcast probes
net.inet.icmp.maskrepl=0

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

net.inet.ip.fw.dyn_max=8192
net.inet.ip.fw.dyn_ack_lifetime=3600
net.inet.ip.fw.dyn_udp_lifetime=10
net.inet.ip.fw.dyn_buckets=1024

-----------------------------------------------------------------------------------------------------------------------------

tia,

Ganbold

More information about the freebsd-hackers mailing list