From owner-freebsd-questions@FreeBSD.ORG Sun Jul 6 15:32:31 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D2481106568F for ; Sun, 6 Jul 2008 15:32:31 +0000 (UTC) (envelope-from whereisalext@gmail.com) Received: from qb-out-0506.google.com (qb-out-0506.google.com [72.14.204.238]) by mx1.freebsd.org (Postfix) with ESMTP id DDB138FC18 for ; Sun, 6 Jul 2008 15:32:30 +0000 (UTC) (envelope-from whereisalext@gmail.com) Received: by qb-out-0506.google.com with SMTP id f30so2524964qba.7 for ; Sun, 06 Jul 2008 08:32:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=kUXqA+/40uw0YSJ2ot4WkuHcfOfe77sbPOwcSyUSiV8=; b=eVleQ00aZWKscYXVdAbuxYfIMlJBy3fU6s1PwJBgC2MEXVVYCl9omL2lzDMMb6oGJd aAEFeAvblEMdU+4xVl1BQHD3dqclEDrnxbYl48yGEDAwGsxboRz18qLWcPjJQnTx6Wgy 7dt/83xv5Rp/55VAIZxUHwpSqwvtmfBX0HK5I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=JizeGk470SH9qJSKSJPyH4agQcDAzQxr6CNeRH8y7WhFgjlCUDPJ5BuCgiQ5thgX0I SeY8tr8pvlwaCG4O7i9dxOnM7JDCZkD+V2amSCPM1TtVf/RDYTzt67bjFop0SG5BhY4F 7ZLbEdogS6HOB0enkQS8sWEOfLIfs2BNsdmJg= Received: by 10.142.81.7 with SMTP id e7mr951158wfb.320.1215358349447; Sun, 06 Jul 2008 08:32:29 -0700 (PDT) Received: by 10.142.242.18 with HTTP; Sun, 6 Jul 2008 08:32:29 -0700 (PDT) Message-ID: Date: Sun, 6 Jul 2008 08:32:29 -0700 From: "Alex Teslik" To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: natd and ipfw external hangs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2008 15:32:31 -0000 Hello, I recently upgraded to 7.0-STABLE and have setup an ipfw+natd combo on my dual homed host. I have two interfaces: em0 - external interface to the net 24.205.x.x sk0 - internal interface 192.168.x.x When users connect on the 192.168.x.x internal network everything works great. Packets get out to the net and back to the originating machine with no delays. So, natd seems to be doing the right thing. The server (24.205.x.x) can directly connect to the internet for all services - no problems there. The problem is external users. When they hit the webserver at 24.205.x.x the text portion of the pages load quickly. A few images load, and then the rest of the page hangs for quite some time. When I check the connection on my side with netstat -a I see a lot of these: tcp4 0 0 server.http 41.221.19.24.62422 FIN_WAIT_2 tcp4 0 0 server.http 41.221.19.24.62401 FIN_WAIT_2 tcp4 0 0 server.http 203.215.120.236.1686 FIN_WAIT_2 So it seems the connection is just hanging for some reason. I opened my firewall up completely, taking natd out of the equation and the external problem was solved. So, I'm suspecting a bad config in my firewall rules, or a bad config in my natd. So I created an open firewall that also uses natd to see if I could get things working. Here are the rules (complete with comments from the fbsd handbook): #!/bin/sh IPFW="ipfw -q add" ipfw -q -f flush # No restrictions on Inside LAN Interface for private network $IPFW 10 allow all from any to any via sk0 # No restrictions on loopback interface $IPFW 20 allow all from any to any via lo0 # check if packet is inbound and nat address if it is $IPFW 30 divert natd ip from any to any in via em0 # Allow the packet through if it has previously been added to the # the "dynamic" rules table by an allow keep-state statement. $IPFW 50 check-state # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destined for the public Internet. # Basically, let everything out. $IPFW 60 skipto 500 all from any to any out via em0 setup keep-state # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destined for this gateway server or the private network. # Basically, let everything in to me. $IPFW 70 allow all from any to me in via em0 setup limit src-addr 2 # This is skipto location for outbound stateful rules $IPFW 500 divert natd ip from any to any out via em0 $IPFW 600 allow ip from any to any $IPFW 800 deny all from any to any and my natd setup: gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/ipfw.rules" natd_enable="YES" natd_interface="em0" natd_flags="-dynamic -m" and in my kernel: # For Network Address Translation (NAT) options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=5 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT How can I successfully eliminate the external hangs without loosing natd for the internal users? Any ideas greatly appreciated! Thanks, Alex