From owner-freebsd-questions@FreeBSD.ORG Thu Dec 4 07:53:19 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0B4B16A4CE for ; Thu, 4 Dec 2003 07:53:19 -0800 (PST) Received: from mail.fibertel.com.ar (mta3.fibertel.com.ar [24.232.0.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2812143FAF for ; Thu, 4 Dec 2003 07:53:18 -0800 (PST) (envelope-from garry@ascii-turf.net) Received: from [24.232.251.79] (24.232.251.79) by mail.fibertel.com.ar (7.0.019) (authenticated as hillgarry) id 3FC219EF00321EF3 for freebsd-questions@freebsd.org; Thu, 4 Dec 2003 12:53:16 -0300 Date: Thu, 4 Dec 2003 12:53:14 -0300 From: Garry Hill To: FreeBSD X-Priority: 3 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailer: Mailsmith 2.0.2 (Blindsider) Subject: can ping, can't download through firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 15:53:19 -0000 hi, i'm a reasonably experienced linux/bsd user - i've installed a few boxes in my time and usually with a good level of success. but this time i'm stumped/jiggered. i'm trying to set up a freebsd gateway to share my cable modem connection. from the gateway itself i can ping the world, from the attached clients i can ping the world, i can even do dns lookups. doing: curl --head http://www.website.com gives me a good-looking header and everything, but if i do lynx http://www.website.com no joy. i get: HTTP request sent; waiting for response. and it stops there. this is true from both the clients and the gateway itself. i just can't download anything for all the pings in the world. my current set up is -- kernel config: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 -- /etc/rc.conf gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_interface=" rl0" natd_flags="" which are both straight out of the handbook. -- ipfw -a list 00050 1844 130026 divert 8668 ip from any to any via rl0 00100 96 11166 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 2481 200907 allow ip from any to any 65535 0 0 allow ip from any to any i've tried the same thing using ipfilter and ipnat instead of natd and ipfw - with the same results. ethernet cards - a pair of 8139's - rl0 external, rl1 internal. as far as i can tell they work fine. on the internal network the pings are 100% - i can ftp ssh the works without problem. i've noticed that if i turn on the firewall my pings to the isp's router are much much less reliable, sometimes losing 30%+ of the packets but generally degraded compared to the setup with no firewall enabled. the firewall stats show that everything is passing ok. i really don't know what's going on. unfortunately my web searches have turned up nothing similar. does anyone have any ideas/comments/suggestions/experience of the same? is it the network cards? pings from the client machine when connected directly work perfectly but from the gateway are at best a little dodgy - losing 15% of the packets. is there some incompatibility between the network card and the router? oh, and install is FreeBSD 4.9-RELEASE any help greatly appreciated. it's doin my head in. Garry