Greg,
My guess would be to look at rule 00800. I suspect that the network that
you are having problems with is on BGE0. NAT and keep-state do not play
well with each other.
Jason
On Sun, November 4, 2007 4:14 pm, [EMAIL PROTECTED] wrote:
Hmm, I may well be missing something very obvious but rule 01000 seems
to be doing exactly what it says it will. Are you sure you meant deny
rather than allow on rule 01000 ? It seems very unfreindly to allow
outgoing TCP connections and then the minute they are established deny
any return traffic !! Usually the established test is there to detect
valid incoming traffic associated with your own outgoing safe
connections.
Cheers
John
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ext Gardner Bell
Sent: Sunday, November 04, 2007 8:51 AM
To: freebsd-ipfw@freebsd.org
Subject: IPFW Problem
I'm hoping some of you can help me out with the problem that I'm having
as I'm not very good when it comes to networking..
I've recently configured 6.3-PRERELEASE with IPFW/NATD to act as my
LAN's firewall/router. After I initially access certain http sites,
particularly google groups and yahoo web mail I'm noticing subsequent
attempts take 2mins to resolve the next link that I am interested in
reading.
This appears to be caused by rule 01000 as the counter increases each
time I access one of the above mentioned sites.
Short of removing this rule, is there any other way that I can fix this
issue? Below is a listing of my present ruleset and a tcpdump of a
Windows XP machine trying to access a link on google groups.
regards,
Gardner
mx1# ipfw show
00100 76 11134 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
002000 0 deny log logamount 10 ip from 127.0.0.1 to any
003000 0 deny log logamount 10 ip from any to 127.0.0.1
004000 0 deny log logamount 10 ip from any to any not
verrevpath in
005000 0 deny log logamount 10 ip from any to any ipoptions
ssrr,lsrr,rr,ts in
006000 0 deny ip from any to any frag
007000 0 allow icmp from any to any icmptypes 0,3,11,12
00800 1081 452405 divert 8668 ip from any to any via bge0
009000 0 check-state
01000 36 17682 deny tcp from any to any established
01100 2704 853904 allow ip from any to any via bge1 keep-state 01200
262 57586 allow tcp from any to any dst-port 80 keep-state
013000 0 allow tcp from any to any dst-port 443 keep-state
01400 102 7752 allow udp from me to any dst-port 123 keep-state
015000 0 allow tcp from me to any dst-port 53 setup keep-state
01600 169 30563 allow udp from me to any dst-port 53 keep-state
017000 0 allow tcp from any to any dst-port 1863 setup
keep-state
018000 0 allow log logamount 10 udp from any to
255.255.255.255 dst-port 68 in via bge0
019000 0 allow tcp from x.x.x.x to x.x.x.x dst-port 22
keep-state
020000 0 deny log logamount 10 ip from any to any
655351396 deny ip from any to any
131219 00:e0:81:2e:c1:aa 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl 63, id 55490, offset 0, flags [DF], proto:
TCP (6), length: 40, bad cksum 0 (-4d44)!) x.x.x.x.2471
64.233.179.99.80: ., cksum 0x2bf0 (correct), a
ck 26946 win 64330
046227 00:e0:81:2e:c1:aa 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 62: (tos 0x0, ttl 63, id 55493, offset 0, flags [DF], proto:
TCP (6), length: 48, bad cksum 0 (-2a14)!) x.x.x.x.2474
72.14.207.99.80: S, cksum 0xf365 (correct), 22
96693740:2296693740(0) win 65535 mss 1460,nop,nop,sackOK
007127 00:13:5f:04:bd:05 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 62: (tos 0x0, ttl 56, id 48846, offset 0, flags [none], proto:
TCP (6), length: 48) 72.14.207.99.80 x.x.x.x.2474: S, cksum 0x8043
(correct), 2154814567:2154814567(0
) ack 2296693741 win 5720 mss 1430,nop,nop,sackOK
000323 00:e0:81:2e:c1:aa 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 54: (tos 0x0, ttl 63, id 55494, offset 0, flags [DF], proto:
TCP (6), length: 40, bad cksum 0 (-2a1b)!) x.x.x.x.2474
72.14.207.99.80: ., cksum 0xc341 (correct), ac
k 1 win 65535
000293 00:e0:81:2e:c1:aa 00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
length 1155: (tos 0x0, ttl 63, id 55495, offset 0, fla gs [DF], proto:
TCP (6), length: 1141, bad cksum 0 (-25cd)!)
x.x.x.x.2474 72.14.207.99.80: P 1:1102(1101) ack 1 win
65535
015474 00:13:5f:04:bd:05 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 60: (tos 0x0, ttl 56, id 48847, offset 0, flags [none], proto:
TCP (6), length: 40) 72.14.207.99.80 x.x.x.x.2474: ., cksum 0xa0d9
(correct), ack 1102 win 7707
000879 00:13:5f:04:bd:05 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
length 383: (tos 0x0, ttl 56, id 48848, offset 0, flag s [none], proto:
TCP (6), length: 369) 72.14.207.99.80 x.x.x.x.2474:
P 1:330(329) ack 1102 win 7707
003365 00:13:5f:04:bd:05 00:e0:81:2e:c1:aa, ethertype IPv4