can ping, can't download through firewall

Garry Hill garry at ascii-turf.net
Thu Dec 4 12:31:58 PST 2003 

thanks for the advice. 

>natd_interface=" rl0"    fix this statement   there should not be
>space between first quote and rl0    "  rl0"  "rl0"

the space comes from me copying and pasting from a website, not from my config files. that space was never in my config files.

>What happens if you boot using the original generic kernel with no
>firewall enable statements in rc.conf?  IE: kernel without IPFW or
>IPFILTER compiled in. Do you have total access to public internet

with generic kernel and no firewall it's the same situation. pingo-rama but no downloads. 

the response isn't even consistent. doing a "fetch -v http://207.126.111.202/index.html" (which is rheet.mozilla.or) sometimes (more often than not) it gets to the "requesting http://..." but no more but then sometimes it gets as far as "receiving..." but never gets more than 1024 bytes.

but, the good news is, i figured it out. it was the bloody cable after all that. the ifconfig was showing up as "100baseTX" but not "100baseTX <full-duplex>" but what really pointed it out was the lack of a link status light when i tried a different ethernet card. so somewhere in that cable something is broken, i just don't know where. changing the plastic bits hasn't helped. the strangest thing is that it works (is working right now) without a hitch here on my mac - must be that the mac drivers/nic are more robust/less fussy than the i386/8139/freebsd counterparts. i don't know enough about full- or half- duplex to make more sense out of it. 

so, after two days of racking my brains and beating my head against various bits of brick and styrofoam padding we're back on track. 

thanks again,

g

>What happens if you boot using the original generic kernel with no
>firewall enable statements in rc.conf?  IE: kernel without IPFW or
>IPFILTER compiled in. Do you have total access to public internet
>from your gateway box? [ie will  lynx http://www.website.com work]
>If so then, add the rc.conf statements enable statements for the
>firewall of your chose and the firewall loadable module will be
>dynamically loaded at boot time. See if this makes any difference.
>If not then problem is not in the creation of new kernel, but in the
>firewall rules you are using.
>
>natd_interface=" rl0"    fix this statement   there should not be
>space between first quote and rl0    "  rl0"  "rl0"
>
>Change this rule allow ip from any to any  to  allow log ip from any
>to any
>And only test one outbound service like  lynx http://www.website.com
>and them check  your log to see what happened. BE careful this will
>generate a lot of log msgs.
>
>-----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Garry Hill
>Sent: Thursday, December 04, 2003 10:53 AM
>To: FreeBSD
>Subject: can ping, can't download through firewall
>
>
>hi,
>
>i'm a reasonably experienced linux/bsd user - i've installed a few
>boxes in my time and usually with a good level of success. but this
>time i'm stumped/jiggered.
>
>i'm trying to set up a freebsd gateway to share my cable modem
>connection.
>
>from the gateway itself i can ping the world, from the attached
>clients i can ping the world, i can even do dns lookups. doing:
>
>curl --head http://www.website.com
>
>gives me a good-looking header and everything, but if i do
>
>lynx http://www.website.com
>
>no joy. i get:
>
>HTTP request sent; waiting for response.
>
>and it stops there. this is true from both the clients and the
>gateway itself. i just can't download anything for all the pings in
>the world.
>
>my current set up is
>
>-- kernel config:
>
>options IPFIREWALL
>options IPDIVERT
>options IPFIREWALL_DEFAULT_TO_ACCEPT
>options IPFIREWALL_VERBOSE
>options IPFIREWALL_VERBOSE_LIMIT=10
>
>-- /etc/rc.conf
>
>gateway_enable="YES"
>firewall_enable="YES"
>firewall_type="OPEN"
>natd_enable="YES"
>natd_interface=" rl0"
>natd_flags=""
>
>which are both straight out of the handbook.
>
>-- ipfw -a list
>00050 1844 130026 divert 8668 ip from any to any via rl0
>00100   96  11166 allow ip from any to any via lo0
>00200    0      0 deny ip from any to 127.0.0.0/8
>00300    0      0 deny ip from 127.0.0.0/8 to any
>65000 2481 200907 allow ip from any to any
>65535    0      0 allow ip from any to any
>
>i've tried the same thing using ipfilter and ipnat instead of natd
>and ipfw - with the same results.
>
>ethernet cards - a pair of 8139's - rl0 external, rl1 internal. as
>far as i can tell they work fine. on the internal network the pings
>are 100% - i can ftp ssh the works without problem.
>
>i've noticed that if i turn on the firewall my pings to the isp's
>router are much much less reliable, sometimes losing 30%+ of the
>packets but generally degraded compared to the setup with no
>firewall enabled.
>
>the firewall stats show that everything is passing ok.
>
>i really don't know what's going on. unfortunately my web searches
>have turned up nothing similar.
>
>does anyone have any ideas/comments/suggestions/experience of the
>same? is it the network cards? pings from the client machine when
>connected directly work perfectly but from the gateway are at best a
>little dodgy - losing 15% of the packets. is there some
>incompatibility between the network card and the router?
>
>oh, and install is FreeBSD 4.9-RELEASE
>
>any help greatly appreciated. it's doin my head in.
>
>Garry
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list