From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 20 00:13:47 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0771B16A4CE for ; Sat, 20 Mar 2004 00:13:47 -0800 (PST) Received: from mordrede.visionsix.net (mordrede.visionsix.com [65.202.119.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id A24B443D2D for ; Sat, 20 Mar 2004 00:13:46 -0800 (PST) (envelope-from lists@visionsix.com) Received: from vsis169 (unverified [65.202.119.169]) by mordrede.visionsix.net for ; Sat, 20 Mar 2004 02:13:45 -0600 Message-ID: <004d01c40e53$3f8b8880$df0a0a0a@visionsix.net> From: "Lewis Watson" To: Date: Sat, 20 Mar 2004 02:13:38 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: ping timeouts X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Mar 2004 08:13:47 -0000 Hello, I would greatly appreciate some advice on the following situation... Ou goal is to use a FreeBSD box as a gateway/ router for several clients. These clients are being provided Internet access through our network and other than a few common worm holes blocked and bandwidth management they should have open access. We are passing traffic through the gateway at this time and bandwidth management seems to work fine (when browsing or just doing normal stuff it is not noticable) but when pinging with a minimal load (one client behind the gateway sending 500byte icmp packets) we are getting around 15% to 25% timeouts. This occurs even if just pinging the internal interface. If we move the host from behind the gateway it has no problem pinging another host. This occurs even when we remove dummynet pipes and rules. Also we have tried this on two seperate machines running FreeBSD 4.9. NIC's are all 3com 3c905 (xl0, xl1) I am using the following rules after rebuilding the kernel with the additions mentioned below. # Kernel Config Changes options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options DUMMYNET options HZ=1000 # This is my attempt at a using IPFW to allow a very open network # It's essentially open except for a very few things. # See Below, it's all commented. # fwcmd="/sbin/ipfw" # Flush previous rules ${fwcmd} -f flush # Block the Microsoft Worm :-), SQL in and Ident ${fwcmd} add deny udp from any to any 135-137,139,445 ${fwcmd} add deny tcp from any to any 135-137,139,445,1434 ${fwcmd} add reset tcp from any to any 113 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) ${fwcmd} add deny all from any to 0.0.0.0/8 ${fwcmd} add deny all from any to 169.254.0.0/16 ${fwcmd} add deny all from any to 192.0.2.0/24 ${fwcmd} add deny all from any to 224.0.0.0/4 # Each client would have an in and out pipe and their own subnet # ${fwcmd} add pipe 1 ip from any to 192.168.1.252/30 in ${fwcmd} add pipe 2 ip from 192.168.1.252/30 to any out ${fwcmd} pipe 1 config bw 900Kbit/s queue 112Kbytes ${fwcmd} pipe 2 config bw 900Kbit/s queue 112Kbytes ${fwcmd} add 65000 pass all from any to any Thanks, Lewis