IPFW Problem

john.w.court at nokia.com john.w.court at nokia.com
Sun Nov 4 15:31:42 PST 2007 

Hmm, I may well be missing something very obvious but rule 01000 seems
to be doing exactly what it says it will.  Are you sure you meant "deny"
rather than "allow" on rule 01000 ? It seems very unfreindly to allow
outgoing TCP connections and then the minute they are established deny
any return traffic !! Usually the "established" test is there to detect
valid incoming traffic associated with your own outgoing "safe"
connections.

Cheers

John 

-----Original Message-----
From: owner-freebsd-ipfw at freebsd.org
[mailto:owner-freebsd-ipfw at freebsd.org] On Behalf Of ext Gardner Bell
Sent: Sunday, November 04, 2007 8:51 AM
To: freebsd-ipfw at freebsd.org
Subject: IPFW Problem

I'm hoping some of you can help me out with the problem that I'm having
as I'm not very good when it comes to networking..

I've recently configured 6.3-PRERELEASE with IPFW/NATD to act as my
LAN's firewall/router.  After I initially access certain http sites,
particularly google groups and yahoo web mail I'm noticing subsequent
attempts take > 2mins to resolve the next link that I am interested in
reading.  

This appears to be caused by rule 01000 as the counter increases each
time I access one of the above mentioned sites.

Short of removing this rule, is there any other way that I can fix this
issue?  Below is a listing of my present ruleset and a tcpdump of a
Windows XP machine trying to access a link on google groups.

regards,

Gardner

mx1# ipfw show
00100   76  11134 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
00200    0      0 deny log logamount 10 ip from 127.0.0.1 to any
00300    0      0 deny log logamount 10 ip from any to 127.0.0.1
00400    0      0 deny log logamount 10 ip from any to any not
verrevpath in
00500    0      0 deny log logamount 10 ip from any to any ipoptions
ssrr,lsrr,rr,ts in
00600    0      0 deny ip from any to any frag
00700    0      0 allow icmp from any to any icmptypes 0,3,11,12
00800 1081 452405 divert 8668 ip from any to any via bge0
00900    0      0 check-state
01000   36  17682 deny tcp from any to any established
01100 2704 853904 allow ip from any to any via bge1 keep-state 01200
262  57586 allow tcp from any to any dst-port 80 keep-state
01300    0      0 allow tcp from any to any dst-port 443 keep-state
01400  102   7752 allow udp from me to any dst-port 123 keep-state
01500    0      0 allow tcp from me to any dst-port 53 setup keep-state
01600  169  30563 allow udp from me to any dst-port 53 keep-state
01700    0      0 allow tcp from any to any dst-port 1863 setup
keep-state
01800    0      0 allow log logamount 10 udp from any to
255.255.255.255 dst-port 68 in via bge0
01900    0      0 allow tcp from x.x.x.x to x.x.x.x dst-port 22
keep-state
02000    0      0 deny log logamount 10 ip from any to any
65535    1    396 deny ip from any to any

131219 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55490, offset 0, flags  [DF], proto:
TCP (6), length: 40, bad cksum 0 (->4d44)!) x.x.x.x.2471
> 64.233.179.99.80: ., cksum 0x2bf0 (correct), a
ck 26946 win 64330
046227 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 62: (tos 0x0, ttl  63, id 55493, offset 0, flags  [DF], proto:
TCP (6), length: 48, bad cksum 0 (->2a14)!) x.x.x.x.2474
> 72.14.207.99.80: S, cksum 0xf365 (correct), 22
96693740:2296693740(0) win 65535 <mss 1460,nop,nop,sackOK>
007127 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 62: (tos 0x0, ttl  56, id 48846, offset 0, flags  [none], proto:
TCP (6), length: 48) 72.14.207.99.80 > x.x.x.x.2474: S, cksum 0x8043
(correct), 2154814567:2154814567(0
) ack 2296693741 win 5720 <mss 1430,nop,nop,sackOK>
000323 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55494, offset 0, flags  [DF], proto:
TCP (6), length: 40, bad cksum 0 (->2a1b)!) x.x.x.x.2474
> 72.14.207.99.80: ., cksum 0xc341 (correct), ac
k 1 win 65535
000293 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 1155: (tos 0x0, ttl  63, id 55495, offset 0, fla gs [DF], proto:
TCP (6), length: 1141, bad cksum 0 (->25cd)!)
x.x.x.x.2474 > 72.14.207.99.80: P 1:1102(1101) ack 1 win
65535
015474 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 60: (tos 0x0, ttl  56, id 48847, offset 0, flags  [none], proto:
TCP (6), length: 40) 72.14.207.99.80 > x.x.x.x.2474: ., cksum 0xa0d9
(correct), ack 1102 win 7707
000879 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 383: (tos 0x0, ttl  56, id 48848, offset 0, flag s [none], proto:
TCP (6), length: 369) 72.14.207.99.80 > x.x.x.x.2474:
P 1:330(329) ack 1102 win 7707
003365 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1484: (tos 0x0, ttl  54, id 5049, offset 0, flag s [none], proto:
TCP (6), length: 1470) 64.233.179.99.80 >
x.x.x.x.2472: . 1:1431(1430) ack 944 win 6797
001463 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1484: (tos 0x0, ttl  54, id 5050, offset 0, flag s [none], proto:
TCP (6), length: 1470) 64.233.179.99.80 >
x.x.x.x.2472: . 1431:2861(1430) ack 944 win 6797
000478 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55498, offset 0, flags  [DF], proto:
TCP (6), length: 40, bad cksum 0 (->4d3c)!) x.x.x.x.2472
> 64.233.179.99.80: ., cksum 0xa354 (correct), a
ck 2861 win 65535
000694 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 348: (tos 0x0, ttl  54, id 5051, offset 0, flags  [none], proto:
TCP (6), length: 334) 64.233.179.99.80 > x.x.x.x.2472:
P 2861:3155(294) ack 944 win 6797
002086 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 841: (tos 0x0, ttl  63, id 55503, offset 0, flag s [DF], proto:
TCP (6), length: 827, bad cksum 0 (->4a24)!)
x.x.x.x.2471 > 64.233.179.99.80: P 900:1687(787) ack 26946 win 64330
039910 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 60: (tos 0x0, ttl  54, id 65197, offset 0, flags  [none], proto:
TCP (6), length: 40) 64.233.179.99.80 > x.x.x.x.2471:
., cksum 0xfff1 (correct), ack 1687 win 9270
081626 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55504, offset 0, flags  [DF], proto:
TCP (6), length: 40, bad cksum 0 (->2a11)!) x.x.x.x.2474
> 72.14.207.99.80: ., cksum 0xbef4 (correct), ac
k 330 win 65206
006714 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55505, offset 0, flags  [DF], proto:
TCP (6), length: 40, bad cksum 0 (->4d35)!) x.x.x.x.2472
> 64.233.179.99.80: ., cksum 0xa354 (correct), a
ck 3155 win 65241
023252 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1484: (tos 0x0, ttl  54, id 65198, offset 0, fla gs [none],
proto: TCP (6), length: 1470) 64.233.179.99.80 >
x.x.x.x.2471: . 26946:28376(1430) ack 1687 win 9270 001610
00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length
1460: (tos 0x0, ttl  54, id 65199, offset 0, fla gs [none], proto: TCP
(6), length: 1446) 64.233.179.99.80 >
x.x.x.x.2471: P 28376:29782(1406) ack 1687 win 9270
000456 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55506, offset 0, flags  [DF], proto:
TCP (6), length: 40, bad cksum 0 (->4d34)!) x.x.x.x.2471
> 64.233.179.99.80: ., cksum 0x1914 (correct), a
ck 29782 win 65535
000861 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 1484: (tos 0x0, ttl  54, id 65200, offset 0, fla gs [none],
proto: TCP (6), length: 1470) 64.233.179.99.80 >
x.x.x.x.2471: . 29782:31212(1430) ack 1687 win 9270
036857 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 116: (tos 0x0, ttl  54, id 65201, offset 0, flag s [none], proto:
TCP (6), length: 102) 64.233.179.99.80 > x.x.x.x.2471:
P 31212:31274(62) ack 1687 win 9270
000164 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl  63, id 55507, offset 0, flags  [DF], proto:
TCP (6), length: 40, bad cksum 0 (->4d33)!) x.x.x.x.2471
> 64.233.179.99.80: ., cksum 0x1340 (correct), a
ck 31274 win 65535
_______________________________________________
freebsd-ipfw at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"

More information about the freebsd-ipfw mailing list