Long-running connections stop working through a FreeBSD 5.1R
firewall/NAT box...
Douglas Carmichael
dcarmich at mail.ourservers.net
Thu Sep 11 21:50:48 PDT 2003
System: FreeBSD 5.1-RELEASE running as a firewall (ipfw) and NAT for
192.168.1.0/24
Interfaces: xl0 (internal interface, 192.168.1.1)
sis0 (cable modem interface) (address assigned by DHCP)
HTTP connections across the firewall work fine (ie. web browsing) and I can
maintain a connection to a streaming radio station just fine from my
PowerBook inside the firewall, but AIM, ICQ, and Yahoo Messenger seem to
stay up for a while and then just unexpectedly disconnect (the client
has to reconnect). What could be the problem? (Sometimes, after a while, message traffic doesn't come in and I have to restart the clients on my end to be able to use the 'messengers' in question.)
Also, start an SSH session and it will randomly 'lock up.' (But you can initiate other stuff after it's locked up.)
I looked in my /var/log/security and I see nothing being denied that should be allowed.
Also, conventional FTP doesn't work from my PowerBook inside
the firewall, even with '-use_sockets' enabled in natd.
Any ideas? Thanks.
Here's my /etc/firewall/fwrules:
#!/bin/sh
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"
inside_if="xl0"
outside_if="sis0"
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
# Divert all packets through the outside interface.
$fwcmd add divert natd all from any to any via $outside_if
# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
$fwcmd add check-state
$fwcmd add deny tcp from any to any established
# Allow all localhost connections
$fwcmd add allow tcp from me to any out via lo0 setup keep-state
$fwcmd add deny tcp from me to any out via lo0
$fwcmd add allow ip from me to any out via lo0 keep-state
# Allow all connections from my network card that I initiate
$fwcmd add allow tcp from me to any out xmit any setup keep-state
$fwcmd add deny tcp from me to any
$fwcmd add allow ip from me to any out xmit any keep-state
# Everyone on the Internet is allowed to connect to the following
# services on the machine.
$fwcmd add allow tcp from any to me dst-port 2100 in recv any setup keep-state
# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to me 113 in recv any
# Enable DHCP
$fwcmd add allow udp from any 68 to any 67 out xmit $outside_if
$fwcmd add allow udp from any 67 to any 68 in recv $outside_if
# Enable ICMP: remove type 8 if you don't want your host to be pingable
$fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14
# Enable IP from our internal network to reach us
$fwcmd add allow ip from 192.168.1.0:255.255.255.0 to any in via $inside_if keep-state
# (Note: without this rule, _no_ traffic can reach 192.168.1.1 from the internal network)
# Deny all the rest.
$fwcmd add deny log ip from any to any
Here's my /etc/rc.conf:
# -- sysinstall generated deltas -- # Thu Sep 11 11:52:46 2003
# Created: Thu Sep 11 11:52:46 2003
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
gateway_enable="YES"
hostname="bsdserver.carmichael.lan"
ifconfig_xl0="inet 192.168.1.1 netmask 255.255.255.0 media 100BaseTX"
ifconfig_sis0="DHCP"
inetd_enable="YES"
inetd_flags="-wW -l -a 192.168.1.1"
firewall_enable="YES"
firewall_script="/etc/firewall/fwrules"
natd_enable="YES"
natd_interface="sis0"
natd_flags="-dynamic -use_sockets"
isc_dhcpd_enable="YES"
isc_dhcpd_program="/usr/local/sbin/dhcpd"
isc_dhcpd_flags="-q xl0"
moused_enable="NO"
named_enable="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
syslogd_flags="-s -s"
kern_securelevel_enable="NO"
sendmail_enable="NONE"
sshd_enable="YES"
usbd_enable="NO"
More information about the freebsd-questions
mailing list