From owner-freebsd-security Wed Nov 7 10:29: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ganja.nubisci.net (ikhala.tcimet.net [198.109.166.215]) by hub.freebsd.org (Postfix) with ESMTP id 86C6737B428 for ; Wed, 7 Nov 2001 10:28:54 -0800 (PST) Received: (from guru@localhost) by ganja.nubisci.net (8.11.6/8.11.4) id fA7ISr437638 for freebsd-security@freebsd.org; Wed, 7 Nov 2001 13:28:53 -0500 (EST) (envelope-from guru) Date: Wed, 7 Nov 2001 13:28:53 -0500 From: GuRU To: freebsd-security@freebsd.org Subject: problems with clients behind ipf/ipnat firewall Message-ID: <20011107132853.B7624@nubisci.net> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD 5.0-CURRENT i386 WWW-Home-Page: http://www.nubisci.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello folks I'm having some problems with my firewall setup and could use some insight/advice. I have a cable modem with a static ip. My gateway box is running -current. I'm seeing problems with both ipf/ipnat and ipfw/natd, but for the purpose of this email i'll use my ipf/ipnat configuration. Here's the deal, for all kinds of access to the internet, everything is slow or times out except ping. While everything from my gateway box is fine. My gateway box is running -current, while the clients are running 4.3-Release. Here are some examples of what I'm seeing: client box (FreeBSD kaleidoscope.nubisci.net 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Sat Apr 21 10:54:49 GMT 2001 jkh@narf.osd.bsdi.com:/usr/src/sys/compile/GENERIC i386) kaleidoscope.nubisci.net:guru% ping -c 10 bantu.cl.msu.edu PING bantu.cl.msu.edu (35.8.3.18): 56 data bytes 64 bytes from 35.8.3.18: icmp_seq=0 ttl=60 time=4.382 ms 64 bytes from 35.8.3.18: icmp_seq=1 ttl=60 time=3.986 ms 64 bytes from 35.8.3.18: icmp_seq=2 ttl=60 time=3.633 ms 64 bytes from 35.8.3.18: icmp_seq=3 ttl=60 time=5.451 ms 64 bytes from 35.8.3.18: icmp_seq=4 ttl=60 time=3.545 ms 64 bytes from 35.8.3.18: icmp_seq=5 ttl=60 time=3.861 ms 64 bytes from 35.8.3.18: icmp_seq=6 ttl=60 time=3.512 ms 64 bytes from 35.8.3.18: icmp_seq=7 ttl=60 time=4.xxx ms 64 bytes from 35.8.3.18: icmp_seq=8 ttl=60 time=3.750 ms 64 bytes from 35.8.3.18: icmp_seq=9 ttl=60 time=6.950 ms --- bantu.cl.msu.edu ping statistics --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.512/4.318/6.950/1.030 ms gateway box (FreeBSD ganja.nubisci.net 5.0-CURRENT FreeBSD 5.0-CURRENT #51: Wed Nov 7 09:16:18 EST 2001 root@ganja.nubisci.net:/usr/src/sys/i386/compile/GANJA i386) ganja.nubisci.net:guru% ping -c 10 bantu.cl.msu.edu PING bantu.cl.msu.edu (35.8.3.18): 56 data bytes 64 bytes from 35.8.3.18: icmp_seq=0 ttl=61 time=3.469 ms 64 bytes from 35.8.3.18: icmp_seq=1 ttl=61 time=2.890 ms 64 bytes from 35.8.3.18: icmp_seq=2 ttl=61 time=2.795 ms 64 bytes from 35.8.3.18: icmp_seq=3 ttl=61 time=4.070 ms 64 bytes from 35.8.3.18: icmp_seq=4 ttl=61 time=8.061 ms 64 bytes from 35.8.3.18: icmp_seq=5 ttl=61 time=2.877 ms 64 bytes from 35.8.3.18: icmp_seq=6 ttl=61 time=9.180 ms 64 bytes from 35.8.3.18: icmp_seq=7 ttl=61 time=3.613 ms 64 bytes from 35.8.3.18: icmp_seq=8 ttl=61 time=3.202 ms 64 bytes from 35.8.3.18: icmp_seq=9 ttl=61 time=3.788 ms --- bantu.cl.msu.edu ping statistics --- 10 packets transmitted, 10 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.795/4.394/9.180/2.164 ms Ok now here are the results of traceroute -S client box: kaleidoscope.nubisci.net:guru% traceroute -S bantu.cl.msu.edu traceroute to bantu.cl.msu.edu (35.8.3.18), 30 hops max, 40 byte packets 1 ganja (192.168.0.1) 0.522 ms 0.434 ms 0.390 ms (0% loss) 2 xxx.xxx.xxx.193 (xxx.xxx.xxx.193) 3.462 ms * 5.353 ms (33% loss) 3 * com-rtr-ve61.net.msu.edu (35.12.51.1) 6.028 ms * (66% loss) 4 cc-rtr-ge15.net.msu.edu (35.9.101.13) 7.252 ms * 3.242 ms (33% loss) 5 * bantu.cl.msu.edu (35.8.3.18) 5.814 ms * (66% loss) as you can see i start seeing collisions once packets hit my upstream gateway :( now from my gateway box: ganja.nubisci.net:guru% traceroute -S bantu.cl.msu.edu traceroute to bantu.cl.msu.edu (35.8.3.18), 64 hops max, 40 byte packets 1 xxx.xxx.xxx.193 (xxx.xxx.xxx.193) 3.466 ms 2.871 ms 5.716 ms (0% loss) 2 com-rtr-ve61.net.msu.edu (35.12.51.1) 2.565 ms 2.781 ms 2.711 ms (0% loss) 3 cc-rtr-ge15.net.msu.edu (35.9.101.13) 2.767 ms 7.298 ms 4.367 ms (0% loss) 4 bantu.cl.msu.edu (35.8.3.18) 2.516 ms 2.121 ms 1.997 ms (0% loss) no problems whatsoever. Now i've upgraded nic's, cables, switched the public/private nics and the results are the same. If it's h/w i'm at a loss at what it can be except maybe the mobo or the cable modem, but i can't see why as the gateway performs with out any issues. I've tried many different ipf configurations and even with very permissive rules, i see the same symptoms :(. Here are my current ipf.rules and ipnat.rules files: # /etc/ipf.rules # ipf.rules # interface naming: # fxp0 = internet, addr=xxx.xxx.xxx.215/32 # fxp1 = local private net, addr=192.168.0.1/24 # # generic to all interfaces block in log quick all with opt lsrr block in log quick all with opt ssrr block in log quick all with ipopts block in log quick proto tcp all with short block in log quick proto icmp all with frag pass in quick on fxp0 proto tcp/udp from xxx.xxx.xxx.215/3 to ANY keep state # rules for the external fxp0 interface pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 22 flags S keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 25 flags S keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 53 flags S keep state pass in quick on fxp0 proto udp from any to xxx.xxx.xxx.215/32 port = 53 keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 80 flags S keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 110 flags S keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 113 flags S keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 443 flags S keep state pass in quick on fxp0 proto tcp from any to xxx.xxx.xxx.215/32 port = 6000 flags S keep state block in log on fxp0 all block return-rst in log quick on fxp0 proto tcp all flags S block return-icmp-as-dest(port-unr) in log quick on fxp0 proto udp all # now keep state at the external interface on outgoing traffic: pass out quick on fxp0 proto tcp from any to any flags S keep state pass out quick on fxp0 proto udp from any to any keep state pass out quick on fxp0 proto icmp from any to any keep state pass out quick on fxp0 from any to any # # rules for the internal fxp1 interface # let the internal and loopback interfaces run free, but # squelch the netbios stuff so it doesn't create ipf states: block in quick on fxp1 from any to any port = 137 block in quick on fxp1 from any to any port = 138 block in quick on fxp1 from any to any port = 139 block in quick on fxp1 from any port = 137 to any block in quick on fxp1 from any port = 138 to any block in quick on fxp1 from any port = 139 to any pass in quick on fxp1 all pass out quick on fxp1 all # # no restrictions on loopback pass in quick on lo0 all pass out quick on lo0 all and here's my ipnat.rules #/etc/ipnat.rules map fxp0 192.168.0.1/24 -> xxx.xxx.xxx.215/32 proxy port ftp ftp/tcp map fxp0 192.168.0.1/24 -> xxx.xxx.xxx.215/32 portmap tcp/udp 1025:65000 map fxp0 192.168.0.1/24 -> xxx.xxx.xxx.215/32 any thoughts/ideas/criticisms? :) #;@0 -- Comparing information and knowledge is like asking whether the fatness of a pig is more or less green than the designated hitter rule." -- David Guaspari To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message