Date: Sun, 31 Mar 2013 21:33:34 -0700 From: "Don O'Neil" <lists@lizardhill.com> To: "'Michael Sierchio'" <kudzu@tenebras.com> Cc: freebsd-questions@freebsd.org Subject: RE: Problems with IPFW causing failed DNS and FTP sessions Message-ID: <04ae01ce2e92$1283bf10$378b3d30$@com> In-Reply-To: <CAHu1Y70GrfKs9QQZDpm2rHXorEwWDebnd2=k5=LbVZLCdfzEJA@mail.gmail.com> References: <049d01ce2e89$c428ab80$4c7a0280$@com> <CAHu1Y70GrfKs9QQZDpm2rHXorEwWDebnd2=k5=LbVZLCdfzEJA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the response... here's my full rullset: # ipfw list 00100 check-state 00101 allow tcp from any to any established 00102 allow ip from any to any out keep-state 00103 allow icmp from any to any 00201 allow ip from any to any via lo0 00202 allow ip from any to 127.0.0.0/8 00203 allow ip from 127.0.0.0/8 to any 00204 deny tcp from any to any frag 00301 deny log logamount 50 ip from any to any ipoptions rr 00302 deny log logamount 50 ip from any to any ipoptions ts 00303 deny log logamount 50 ip from any to any ipoptions lsrr 00304 deny log logamount 50 ip from any to any ipoptions ssrr 00305 deny log logamount 50 tcp from any to any tcpflags syn,fin 00306 deny log logamount 50 tcp from any to any tcpflags syn,rst 01110 allow tcp from any to any dst-port 20 in 01111 allow tcp from any to any dst-port 20 out 01112 allow tcp from any to any dst-port 21 in 01113 allow tcp from any to any dst-port 21 out 01114 allow tcp from any to any dst-port 990 in 01115 allow tcp from any to any dst-port 990 out 01116 allow udp from any to any dst-port 990 in 01117 allow udp from any to any dst-port 990 out 01118 allow tcp from any to any dst-port 989 in 01119 allow tcp from any to any dst-port 989 out 01120 allow udp from any to any dst-port 989 in 01121 allow udp from any to any dst-port 989 out 01122 allow tcp from any to any dst-port 1024-65000 keep-state 01125 allow tcp from any to any dst-port 22 in 01126 allow tcp from any to any dst-port 22 out 01130 allow tcp from any to any dst-port 25 in 01131 allow tcp from any to any dst-port 25 out 01132 allow tcp from any to any dst-port 587 in 01133 allow tcp from any to any dst-port 587 out 01134 allow tcp from any to any dst-port 2525 in 01135 allow tcp from any to any dst-port 2525 out 01140 allow tcp from any to any dst-port 110 in 01141 allow tcp from any to any dst-port 110 out 01142 allow tcp from any to any dst-port 995 in 01143 allow tcp from any to any dst-port 995 out 01144 allow tcp from any to any dst-port 2110 in 01145 allow tcp from any to any dst-port 2110 out 01150 allow tcp from any to any dst-port 143 in 01151 allow tcp from any to any dst-port 143 out 01152 allow tcp from any to any dst-port 993 in 01153 allow tcp from any to any dst-port 993 out 01160 allow udp from any to any dst-port 53 in keep-state 01161 allow tcp from any to any dst-port 53 in keep-state 01162 allow udp from any to any dst-port 53 out keep-state 01163 allow tcp from any to any dst-port 53 out keep-state 01170 allow tcp from any to any dst-port 80 in 01171 allow tcp from any to any dst-port 80 out 01172 allow tcp from any to any dst-port 443 in 01172 allow tcp from any to any dst-port 443 out 01180 allow tcp from any to any dst-port 2222 in 01181 allow tcp from any to any dst-port 2222 out 65535 deny ip from any to any I've tried these rules; 01160 allow udp from any to any dst-port 53 in 01161 allow tcp from any to any dst-port 53 in 01162 allow udp from any to any dst-port 53 out 01163 allow tcp from any to any dst-port 53 out Without the keep-state option, and the problem is still persisting... The weird thing is that I've run these rules for a number of years without any issues until just recently. I've checked my interface stats to make sure there aren't a bunch of fragmented packets or errors, and there aren't. I'm not running NAT, it's a publically accessible IP address. -----Original Message----- From: Michael Sierchio [mailto:kudzu@tenebras.com] Sent: Sunday, March 31, 2013 8:58 PM To: Don O'Neil Cc: freebsd-questions@freebsd.org Subject: Re: Problems with IPFW causing failed DNS and FTP sessions It would be really helpful if you'd post the ruleset. At first glance, your stateful rules seem rather wrong, unless there's a check-state above. Also, in and out aren't discriminating enough - every packet is seen by the ruleset more than once. You should think in terms of interfaces, direction, etc. Are you doing NAT? Stateful rules with NAT are indeed possible, but subtle. Your problem has nothing to do with server load, and probably everything to do with not-terribly-well-conceived ruleset. Please post yours here. - M On Sun, Mar 31, 2013 at 8:34 PM, Don O'Neil <lists@lizardhill.com> wrote: > Hi everyone. recently my server started having issues with DNS and FTP > sessions either not resolving or timing out. I've tracked the issue > down to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away. > > > > I have the basic rules like this for dns; > > > > 01160 allow udp from any to any dst-port 53 in keep-state > > 01161 allow tcp from any to any dst-port 53 in keep-state > > 01162 allow udp from any to any dst-port 53 out keep-state > > 01163 allow tcp from any to any dst-port 53 out keep-state > > > > When I try an nslookup sometimes they fail, sometimes they get > through, even if I change my DNS server to google, my ISP, or even > OpenDNS. the firewall seems to be causing the issue. > > > > I have about 65 rules in all. > > > > Any ideas what could be causing this? My server load is low, usually > hovering around .2 > > > > How can I look at the actual amount of traffic that the IPFW module is > processing and track down potential performance issues? My server > isn't pushing much data, only around 4-5 Mbps sustained. > > > > Thanks! > > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?04ae01ce2e92$1283bf10$378b3d30$>