Problems with IPFW causing failed DNS and FTP sessions

Don O'Neil lists at lizardhill.com
Mon Apr 1 04:34:17 UTC 2013 

Thanks for the response... here's my full rullset:

# ipfw list
00100 check-state
00101 allow tcp from any to any established
00102 allow ip from any to any out keep-state
00103 allow icmp from any to any
00201 allow ip from any to any via lo0
00202 allow ip from any to 127.0.0.0/8
00203 allow ip from 127.0.0.0/8 to any
00204 deny tcp from any to any frag
00301 deny log logamount 50 ip from any to any ipoptions rr
00302 deny log logamount 50 ip from any to any ipoptions ts
00303 deny log logamount 50 ip from any to any ipoptions lsrr
00304 deny log logamount 50 ip from any to any ipoptions ssrr
00305 deny log logamount 50 tcp from any to any tcpflags syn,fin
00306 deny log logamount 50 tcp from any to any tcpflags syn,rst
01110 allow tcp from any to any dst-port 20 in
01111 allow tcp from any to any dst-port 20 out
01112 allow tcp from any to any dst-port 21 in
01113 allow tcp from any to any dst-port 21 out
01114 allow tcp from any to any dst-port 990 in
01115 allow tcp from any to any dst-port 990 out
01116 allow udp from any to any dst-port 990 in
01117 allow udp from any to any dst-port 990 out
01118 allow tcp from any to any dst-port 989 in
01119 allow tcp from any to any dst-port 989 out
01120 allow udp from any to any dst-port 989 in
01121 allow udp from any to any dst-port 989 out
01122 allow tcp from any to any dst-port 1024-65000 keep-state
01125 allow tcp from any to any dst-port 22 in
01126 allow tcp from any to any dst-port 22 out
01130 allow tcp from any to any dst-port 25 in
01131 allow tcp from any to any dst-port 25 out
01132 allow tcp from any to any dst-port 587 in
01133 allow tcp from any to any dst-port 587 out
01134 allow tcp from any to any dst-port 2525 in
01135 allow tcp from any to any dst-port 2525 out
01140 allow tcp from any to any dst-port 110 in
01141 allow tcp from any to any dst-port 110 out
01142 allow tcp from any to any dst-port 995 in
01143 allow tcp from any to any dst-port 995 out
01144 allow tcp from any to any dst-port 2110 in
01145 allow tcp from any to any dst-port 2110 out
01150 allow tcp from any to any dst-port 143 in
01151 allow tcp from any to any dst-port 143 out
01152 allow tcp from any to any dst-port 993 in
01153 allow tcp from any to any dst-port 993 out
01160 allow udp from any to any dst-port 53 in keep-state
01161 allow tcp from any to any dst-port 53 in keep-state
01162 allow udp from any to any dst-port 53 out keep-state
01163 allow tcp from any to any dst-port 53 out keep-state
01170 allow tcp from any to any dst-port 80 in
01171 allow tcp from any to any dst-port 80 out
01172 allow tcp from any to any dst-port 443 in
01172 allow tcp from any to any dst-port 443 out
01180 allow tcp from any to any dst-port 2222 in
01181 allow tcp from any to any dst-port 2222 out
65535 deny ip from any to any


I've tried these rules;

01160 allow udp from any to any dst-port 53 in 
01161 allow tcp from any to any dst-port 53 in 
01162 allow udp from any to any dst-port 53 out
01163 allow tcp from any to any dst-port 53 out

Without the keep-state option, and the problem is still persisting...

The weird thing is that I've run these rules for a number of years without
any issues until just recently. I've checked my interface stats to make sure
there aren't a bunch of fragmented packets or errors, and there aren't. I'm
not running NAT, it's a publically accessible IP address.

-----Original Message-----
From: Michael Sierchio [mailto:kudzu at tenebras.com] 
Sent: Sunday, March 31, 2013 8:58 PM
To: Don O'Neil
Cc: freebsd-questions at freebsd.org
Subject: Re: Problems with IPFW causing failed DNS and FTP sessions

It would be really helpful if you'd post the ruleset.

At first glance, your stateful rules seem rather wrong, unless there's a
check-state above.  Also, in and out aren't discriminating enough - every
packet is seen by the ruleset more than once.  You should think in terms of
interfaces, direction, etc.

Are you doing NAT?  Stateful rules with NAT are indeed possible, but subtle.

Your problem has nothing to do with server load, and probably everything to
do with not-terribly-well-conceived ruleset.  Please post yours here.

- M

On Sun, Mar 31, 2013 at 8:34 PM, Don O'Neil <lists at lizardhill.com> wrote:
> Hi everyone. recently my server started having issues with DNS and FTP 
> sessions either not resolving or timing out. I've tracked the issue 
> down to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues
go away.
>
>
>
> I have the basic rules like this for dns;
>
>
>
> 01160 allow udp from any to any dst-port 53 in keep-state
>
> 01161 allow tcp from any to any dst-port 53 in keep-state
>
> 01162 allow udp from any to any dst-port 53 out keep-state
>
> 01163 allow tcp from any to any dst-port 53 out keep-state
>
>
>
> When I try an nslookup sometimes they fail, sometimes they get 
> through, even if I change my DNS server to google, my ISP, or even 
> OpenDNS. the firewall seems to be causing the issue.
>
>
>
> I have about 65 rules in all.
>
>
>
> Any ideas what could be causing this? My server load is low, usually 
> hovering around .2
>
>
>
> How can I look at the actual amount of traffic that the IPFW module is 
> processing and track down potential performance issues? My server 
> isn't pushing much data, only around 4-5 Mbps sustained.
>
>
>
> Thanks!
>
>
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list 
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list