Date: Thu, 17 Aug 2000 13:07:58 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> To: "David May" <David_May@allsolutions.com.au> Cc: freebsd-security@freebsd.org Subject: Re: [Q] why does my firewall degrade Web performance? Message-ID: <19547.000817@sandy.ru> In-Reply-To: <4825693D.00159022.00@ASPerth1.allsolutions.com.au> References: <4825693D.00159022.00@ASPerth1.allsolutions.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello David May, You have not reported which Web server you use, so it's hard to determine exact reason. It seems like you filtering UDP packets to your Web server. Then someone requests page from Web server server usually tries to resolve symbolic name of the peer. MS procedure of name resolution involves resolution of NetBIOS name then resolution of DNS name failed. If you filter UDP, server will wait until timed out. Make sure 1. Web server can access DNS server, that is UDP between DNS: 53 and WEB: 1024-65535 allowed. 2. You do not deny UDP between ANY: 137 and WEB: 137. It's required for NetBIOS resolution. If you think this UDP traffic violates your security policy (with latest service pack there is no known security problem with NetBIOS name resolution in NT) try to use "unreach port" or "unreach host" for UDP 137 packets _from_ Web server. If all of your Windows hosts are configured as WINS clients you can also try to put your WEB server in p-node resolution mode to always use WINS, but I'm not sure if it helps for reverse resolution. You can also try to change log option for your Web to do not log peer name. If you have network with mixed topology also check you do not block IP fragments. This is allow TCP from any 0 to any 0 frag You can also use "log" option with all deny's to check what else is blocked. 16.08.00 9:40, you wrote: [Q] why does my firewall degrade Web performance?; D> I have a FreeBSD 3.2 firewall running ipfw+natd in front of a Windows D> NT 4.0 Web server and an internal network. Internet connection is 2Mb DSL. D> When the Web server is protected by the firewall Internet users report D> Web server responses are unacceptably slow. /3APA3A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19547.000817>