From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 29 11:07:10 2007 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A4BF16A476 for ; Mon, 29 Oct 2007 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DF24F13C4AC for ; Mon, 29 Oct 2007 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l9TB74vU090134 for ; Mon, 29 Oct 2007 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l9TB74Go090130 for freebsd-ipfw@FreeBSD.org; Mon, 29 Oct 2007 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 29 Oct 2007 11:07:04 GMT Message-Id: <200710291107.l9TB74Go090130@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Oct 2007 11:07:19 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw ipfw is seems to be broken to limit number of connecti o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o bin/113803 ipfw [patch] bin/ipfw.8 - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from 28 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Sat Nov 3 23:17:34 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8788716A41B for ; Sat, 3 Nov 2007 23:17:34 +0000 (UTC) (envelope-from gbell72@rogers.com) Received: from web88014.mail.re2.yahoo.com (web88014.mail.re2.yahoo.com [206.190.39.219]) by mx1.freebsd.org (Postfix) with SMTP id 22EF213C4AA for ; Sat, 3 Nov 2007 23:17:33 +0000 (UTC) (envelope-from gbell72@rogers.com) Received: (qmail 55202 invoked by uid 60001); 3 Nov 2007 22:50:31 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=rogers.com; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=K6XLW6bLeCDah/I+3h+TpWiUiziU8qrvcpeuNHFV9Ub+5yP2k15qQxljXQk8mZmFUURYzz5Q4tLfCzJ8gZBMr/CHAlycgpsggxUinjz0rvIsqB9BP2Q8AZpqF3jCtk0fl+ge8zArRyeHEzm3ja3kkKrMfe6jx7zd23Ul5wsxynQ=; X-YMail-OSG: DY1Mhw0VM1lLf9wQ67_duEbAEDGWtTMRochYuCiS3KYn_z3ZvMEUPuc_zu8MWl.HfNd8fLxXtg-- Received: from [99.233.189.147] by web88014.mail.re2.yahoo.com via HTTP; Sat, 03 Nov 2007 18:50:30 EDT Date: Sat, 3 Nov 2007 18:50:30 -0400 (EDT) From: Gardner Bell To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <932971.53959.qm@web88014.mail.re2.yahoo.com> Subject: IPFW Problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Nov 2007 23:17:34 -0000 I'm hoping some of you can help me out with the problem that I'm having as I'm not very good when it comes to networking.. I've recently configured 6.3-PRERELEASE with IPFW/NATD to act as my LAN's firewall/router. After I initially access certain http sites, particularly google groups and yahoo web mail I'm noticing subsequent attempts take > 2mins to resolve the next link that I am interested in reading. This appears to be caused by rule 01000 as the counter increases each time I access one of the above mentioned sites. Short of removing this rule, is there any other way that I can fix this issue? Below is a listing of my present ruleset and a tcpdump of a Windows XP machine trying to access a link on google groups. regards, Gardner mx1# ipfw show 00100 76 11134 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 0 0 deny log logamount 10 ip from 127.0.0.1 to any 00300 0 0 deny log logamount 10 ip from any to 127.0.0.1 00400 0 0 deny log logamount 10 ip from any to any not verrevpath in 00500 0 0 deny log logamount 10 ip from any to any ipoptions ssrr,lsrr,rr,ts in 00600 0 0 deny ip from any to any frag 00700 0 0 allow icmp from any to any icmptypes 0,3,11,12 00800 1081 452405 divert 8668 ip from any to any via bge0 00900 0 0 check-state 01000 36 17682 deny tcp from any to any established 01100 2704 853904 allow ip from any to any via bge1 keep-state 01200 262 57586 allow tcp from any to any dst-port 80 keep-state 01300 0 0 allow tcp from any to any dst-port 443 keep-state 01400 102 7752 allow udp from me to any dst-port 123 keep-state 01500 0 0 allow tcp from me to any dst-port 53 setup keep-state 01600 169 30563 allow udp from me to any dst-port 53 keep-state 01700 0 0 allow tcp from any to any dst-port 1863 setup keep-state 01800 0 0 allow log logamount 10 udp from any to 255.255.255.255 dst-port 68 in via bge0 01900 0 0 allow tcp from x.x.x.x to x.x.x.x dst-port 22 keep-state 02000 0 0 deny log logamount 10 ip from any to any 65535 1 396 deny ip from any to any 131219 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55490, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d44)!) x.x.x.x.2471 > 64.233.179.99.80: ., cksum 0x2bf0 (correct), a ck 26946 win 64330 046227 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 63, id 55493, offset 0, flags [DF], proto: TCP (6), length: 48, bad cksum 0 (->2a14)!) x.x.x.x.2474 > 72.14.207.99.80: S, cksum 0xf365 (correct), 22 96693740:2296693740(0) win 65535 007127 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 56, id 48846, offset 0, flags [none], proto: TCP (6), length: 48) 72.14.207.99.80 > x.x.x.x.2474: S, cksum 0x8043 (correct), 2154814567:2154814567(0 ) ack 2296693741 win 5720 000323 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55494, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->2a1b)!) x.x.x.x.2474 > 72.14.207.99.80: ., cksum 0xc341 (correct), ac k 1 win 65535 000293 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 1155: (tos 0x0, ttl 63, id 55495, offset 0, fla gs [DF], proto: TCP (6), length: 1141, bad cksum 0 (->25cd)!) x.x.x.x.2474 > 72.14.207.99.80: P 1:1102(1101) ack 1 win 65535 015474 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 56, id 48847, offset 0, flags [none], proto: TCP (6), length: 40) 72.14.207.99.80 > x.x.x.x.2474: ., cksum 0xa0d9 (correct), ack 1102 win 7707 000879 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 383: (tos 0x0, ttl 56, id 48848, offset 0, flag s [none], proto: TCP (6), length: 369) 72.14.207.99.80 > x.x.x.x.2474: P 1:330(329) ack 1102 win 7707 003365 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 54, id 5049, offset 0, flag s [none], proto: TCP (6), length: 1470) 64.233.179.99.80 > x.x.x.x.2472: . 1:1431(1430) ack 944 win 6797 001463 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 54, id 5050, offset 0, flag s [none], proto: TCP (6), length: 1470) 64.233.179.99.80 > x.x.x.x.2472: . 1431:2861(1430) ack 944 win 6797 000478 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55498, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d3c)!) x.x.x.x.2472 > 64.233.179.99.80: ., cksum 0xa354 (correct), a ck 2861 win 65535 000694 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 348: (tos 0x0, ttl 54, id 5051, offset 0, flags [none], proto: TCP (6), length: 334) 64.233.179.99.80 > x.x.x.x.2472: P 2861:3155(294) ack 944 win 6797 002086 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 841: (tos 0x0, ttl 63, id 55503, offset 0, flag s [DF], proto: TCP (6), length: 827, bad cksum 0 (->4a24)!) x.x.x.x.2471 > 64.233.179.99.80: P 900:1687(787) ack 26946 win 64330 039910 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 54, id 65197, offset 0, flags [none], proto: TCP (6), length: 40) 64.233.179.99.80 > x.x.x.x.2471: ., cksum 0xfff1 (correct), ack 1687 win 9270 081626 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55504, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->2a11)!) x.x.x.x.2474 > 72.14.207.99.80: ., cksum 0xbef4 (correct), ac k 330 win 65206 006714 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55505, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d35)!) x.x.x.x.2472 > 64.233.179.99.80: ., cksum 0xa354 (correct), a ck 3155 win 65241 023252 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 54, id 65198, offset 0, fla gs [none], proto: TCP (6), length: 1470) 64.233.179.99.80 > x.x.x.x.2471: . 26946:28376(1430) ack 1687 win 9270 001610 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1460: (tos 0x0, ttl 54, id 65199, offset 0, fla gs [none], proto: TCP (6), length: 1446) 64.233.179.99.80 > x.x.x.x.2471: P 28376:29782(1406) ack 1687 win 9270 000456 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55506, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d34)!) x.x.x.x.2471 > 64.233.179.99.80: ., cksum 0x1914 (correct), a ck 29782 win 65535 000861 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 1484: (tos 0x0, ttl 54, id 65200, offset 0, fla gs [none], proto: TCP (6), length: 1470) 64.233.179.99.80 > x.x.x.x.2471: . 29782:31212(1430) ack 1687 win 9270 036857 00:13:5f:04:bd:05 > 00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800), length 116: (tos 0x0, ttl 54, id 65201, offset 0, flag s [none], proto: TCP (6), length: 102) 64.233.179.99.80 > x.x.x.x.2471: P 31212:31274(62) ack 1687 win 9270 000164 00:e0:81:2e:c1:aa > 00:13:5f:04:bd:05, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 63, id 55507, offset 0, flags [DF], proto: TCP (6), length: 40, bad cksum 0 (->4d33)!) x.x.x.x.2471 > 64.233.179.99.80: ., cksum 0x1340 (correct), a ck 31274 win 65535