Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 Aug 2000 13:07:58 +0400
From:      3APA3A <3APA3A@SECURITY.NNOV.RU>
To:        "David May" <David_May@allsolutions.com.au>
Cc:        freebsd-security@freebsd.org
Subject:   Re: [Q] why does my firewall degrade Web performance?
Message-ID:  <19547.000817@sandy.ru>
In-Reply-To: <4825693D.00159022.00@ASPerth1.allsolutions.com.au>
References:  <4825693D.00159022.00@ASPerth1.allsolutions.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello David May,

  You  have  not  reported  which  Web server you use, so it's hard to
  determine exact reason.

  It  seems  like  you  filtering UDP packets to your Web server. Then
  someone  requests  page  from  Web  server  server  usually tries to
  resolve  symbolic  name of the peer. MS procedure of name resolution
  involves  resolution  of  NetBIOS  name  then resolution of DNS name
  failed.  If  you  filter UDP, server will wait until timed out. Make
  sure

   1.  Web  server  can access DNS server, that is UDP between DNS: 53
   and WEB: 1024-65535 allowed.

   2. You do not deny UDP between ANY: 137 and WEB: 137. It's required
   for NetBIOS resolution. If you think this UDP traffic violates your
   security  policy  (with  latest  service  pack  there  is  no known
   security  problem  with  NetBIOS  name resolution in NT) try to use
   "unreach  port"  or  "unreach  host" for UDP 137 packets _from_ Web
   server.

  If  all of your Windows hosts are configured as WINS clients you can
  also  try to put your WEB server in p-node resolution mode to always
  use WINS, but I'm not sure if it helps for reverse resolution.

  You   can  also  try to change log option for your Web to do not log
  peer name.

  If  you have network with mixed topology also check you do not block
  IP fragments. This is
  allow TCP from any 0 to any 0 frag

  You  can also use "log" option with all deny's to check what else is
  blocked.
  
16.08.00 9:40, you wrote: [Q] why does my firewall degrade Web performance?;

D> I have a FreeBSD 3.2 firewall running ipfw+natd in front of a Windows
D> NT 4.0 Web server and an internal network. Internet connection is 2Mb DSL.

D> When the Web server is protected by the firewall Internet users report
D> Web server responses are unacceptably slow.

/3APA3A




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19547.000817>