Date: Mon, 19 Aug 2002 10:49:04 +1000 From: "Leigh V" <leighv@roq.com> To: <freebsd-questions@FreeBSD.ORG>, "Jim Arnold" <jarnold@knightridder.com> Subject: Re: IPFilter/IPnat huge packet losses Message-ID: <003401c2471a$378c2b50$2d01a8c0@michael> References: <a05111b00b9858709f683@[192.168.0.4]>
next in thread | previous in thread | raw e-mail | index | archive | help
Hmm I don't know whats wrong. A quick glance at your ruleset and it looked ok You can try my ipfilter / ipnat setup script www.roq.com/bsd/ which I have had a number of emails back claiming success. ----- Original Message ----- From: "Jim Arnold" <jarnold@knightridder.com> To: <freebsd-questions@FreeBSD.ORG> Sent: Monday, August 19, 2002 4:00 AM Subject: IPFilter/IPnat huge packet losses > Currently I run "The Wall," a floppy-based FreeBSD distro that uses > IPFW and natd. This > setup has worked wonderfully. I don't have packet losses with this > setup from the firewall > or inside the lan. > > A few weeks ago I acquired a pentium 233 box and decided to see if I could load > FreeBSD stable and use IPFilter and ipnat as my firewall. The system > install and upgrade > to 4.6 stable with a kernel recompile was a breeze. Getting IPfilter > to work is another matter... > > Right now I'm seeing packet losses from anywhere in the 20 to 80 > percent range when pinging > an outside host from inside the firewall. From the firewall itself I > get 0% packet losses. > > On the box using IPFW and natd I don't see packet losses at all from > the firewall itself of from a > any box inside the firewall. > > The IPfilter box has a linksys lne-100tx card for the external and an > intel ee pro for the internal. > I had a neatgear card that I tried as well and could not do any > better. So I don't think it's a card issue itself. > > When I first booted up the new firewall I was seeing 80% packet > losses. After running ipf -y my > packet losses dropped down to 40%. > > I've posted all the relevant information I could think of below to > help troubleshoot this. > I like how the rule sets for IPfilter are written but if it doesn't > work I guess it's time to IPFW on this box or just stay with what > I've got in the diskless box. > > Thanks for any help. > Jim > > === > My ipf.rules file below. I had been using the rules from Marty Schlater's guide > at http://www.schlacter.dyndns.org/, but a google search turned up > that these rules > aren't quite right and need to be tweaked to add an "S" flag for tcp > connections. > See > http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=9o2lf5%24191e%241%40 FreeBSD.csie.NCTU.edu.tw&rnum=2 > > > # generic to all interfaces > block in log quick all with opt lsrr > block in log quick all with opt ssrr > block in log quick all with ipopts > block in log quick proto tcp all with short > block in log quick proto icmp all with frag > # > # rules for the external dc0 interface > # set up default deny on external interface: > block in log on dc0 all > block return-rst in log quick on dc0 proto tcp all flags S > block return-icmp-as-dest(port-unr) in log quick on dc0 proto udp all > # now keep state at the external interface on outgoing traffic: > pass out quick on dc0 proto tcp from any to any flags S keep state > pass out quick on dc0 proto udp from any to any keep state > pass out quick on dc0 proto icmp from any to any keep state > pass out quick on dc0 from any to any > # > # rules for the internal fxp0 interface > # let the internal and loopback interfaces run free, but > # squelch the netbios stuff so it doesn't create ipf states: > block in quick on fxp0 from any to any port = 137 > block in quick on fxp0 from any to any port = 138 > block in quick on fxp0 from any to any port = 139 > block in quick on fxp0 from any port = 137 to any > block in quick on fxp0 from any port = 138 to any > block in quick on fxp0 from any port = 139 to any > pass in quick on fxp0 all > pass out quick on fxp0 all > pass in quick on lo0 all > pass out quick on lo0 all > # eof > > === > > lorne# more /etc/ipnat.rules > map dc0 192.168.0.0/24 -> 0/32 > > ==== > > lorne# netstat -m > 132/176/4096 mbufs in use (current/peak/max): > 130 mbufs allocated to data > 2 mbufs allocated to packet headers > 128/144/1024 mbuf clusters in use (current/peak/max) > 332 Kbytes allocated to network (10% of mb_map in use) > 0 requests for memory denied > 0 requests for memory delayed > 0 calls to protocol drain routines > > ==== > > lorne# netstat -nr > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif Expire > default 204.210.211.1 UGSc 1 90 dc0 > 127.0.0.1 127.0.0.1 UH 1 0 lo0 > 192.168.0 link#1 UC 3 0 fxp0 > 192.168.0.2 00:d0:b7:14:13:43 UHLW 3 51 fxp0 974 > 192.168.0.4 00:30:65:b2:d1:04 UHLW 1 669 fxp0 348 > 192.168.0.99 00:04:5a:76:e7:30 UHLW 0 39 fxp0 974 > 204.210.211 link#2 UC 1 0 dc0 > 204.210.211.1 08:00:3e:03:15:54 UHLW 2 0 dc0 1118 > 204.210.211.15 127.0.0.1 UGHS 0 0 lo0 > > ===== > > fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 > ether 00:02:b3:40:af:6b > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 204.210.211.XX netmask 0xffffff00 broadcast 255.255.255.255 > ether 00:04:5a:42:03:32 > media: Ethernet autoselect (10baseT/UTP) > status: active > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 > sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 > faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500 > > ===== > > lorne# ipnat -lv > List of active MAP/Redirect filters: > map sis0 192.168.0.0/24 -> 0.0.0.0/32 > > List of active sessions: > MAP 192.168.0.2 1158 <- -> 24.93.195.17 1158 [65.24.0.166 53] > age 1139 use 0 sumd 0x1ac4/0x1ac4 pr 17 bkt 3/116 flags 2 > ifp sis0 bytes 376 pkts 4 > MAP 192.168.0.2 1158 <- -> 24.93.195.17 1158 [65.24.0.167 53] > age 1077 use 0 sumd 0x1ac4/0x1ac4 pr 17 bkt 43/29 flags 2 > ifp sis0 bytes 376 pkts 4 > MAP 192.168.0.2 1158 <- -> 24.93.195.17 1158 [65.24.0.169 53] > age 1043 use 0 sumd 0x1ac4/0x1ac4 pr 17 bkt 123/109 flags 2 > ifp sis0 bytes 376 pkts 4 > MAP 192.168.0.2 1158 <- -> 24.93.195.17 1158 [65.24.0.168 53] > age 1034 use 0 sumd 0x1ac4/0x1ac4 pr 17 bkt 83/69 flags 2 > ifp sis0 bytes 1070 pkts 10 > MAP 192.168.0.2 1274 <- -> 24.93.195.17 1274 [207.111.214.245 8080] > age 439 use 0 sumd 0x1ac4/0x1ac4 pr 6 bkt 81/51 flags 1 > ifp sis0 bytes 224 pkts 5 > > List of active host mappings: > 192.168.0.2 -> 0.0.0.0 (use = 5 hv = 36) > > ====== > > from dmesg... > > net.inet.tcp.blackhole: > 0 > -> > 2 > > net.inet.udp.blackhole: > 0 > -> > 1 > > Doing initial network setup: > hostname > ipmon > ipfilter > 29: cannot use port and neither tcp or udp > 30: cannot use port and neither tcp or udp > 31: cannot use port and neither tcp or udp > 32: cannot use port and neither tcp or udp > 33: cannot use port and neither tcp or udp > 34: cannot use port and neither tcp or udp > ipnat > 0 entries flushed from NAT table > 0 entries flushed from NAT list > . > dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 204.210.211.15 netmask 0xffffff00 broadcast 255.255.255.255 > ether 00:04:5a:42:03:32 > media: Ethernet autoselect (10baseT/UTP) > status: active > fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 > ether 00:02:b3:40:af:6b > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > route: > writing to routing socket > : > File exists > add net default: gateway 24.93.195.1: File exists > Additional routing options: > IP gateway=YES > TCP keepalive=YES > . > > === > > > last few entries from the firewall log: > > Aug 18 05:14:26 lorne ipmon[54]: 05:14:26.411617 dc0 @0:7 b > 67.98.72.16,1230 -> a11d015.neo.rr.com[204.210.211.XX],ms-sql-s PR > tcp len 20 48 -S 1447744583 0 64512 IN > > Aug 18 07:47:44 lorne ipmon[54]: 07:47:43.143692 dc0 @0:7 b > 61.146.224.238,3852 -> a11d015.neo.rr.com[204.210.211.XX],http PR tcp > len 20 48 -S 2228540106 0 8760 IN > > Aug 18 07:47:44 lorne ipmon[54]: 07:47:44.046655 dc0 @0:7 b > 61.146.224.238,3852 -> a11d015.neo.rr.com[204.210.211.XX],http PR tcp > len 20 48 -S 2228540106 0 8760 IN > > Aug 18 07:47:45 lorne ipmon[54]: 07:47:45.051356 dc0 @0:7 b > 61.146.224.238,3852 -> a11d015.neo.rr.com[204.210.211.XX],http PR tcp > len 20 48 -S 2228540106 0 8760 IN > > Aug 18 08:14:01 lorne ipmon[54]: 08:14:01.555803 dc0 @0:7 b > 5.Red-80-59-213.pooles.rima-tde.net[80.59.213.5],64278 -> > a11d015.neo.rr.com[204.210.211.XX],http PR tcp len 20 48 -S > 1946831331 0 16384 IN > > Aug 18 12:46:10 lorne ipmon[54]: 12:46:09.100057 dc0 @0:8 b > a11a.neo.rr.com[204.210.192.1],bootps -> > a11d015.neo.rr.com[204.210.211.15],bootpc PR udp len 20 337 IN > > Aug 18 12:46:52 lorne ipmon[54]: 12:46:52.549116 dc0 @0:6 b > cs45.msg.sc5.yahoo.com[216.136.233.132],mmcc -> > spike[192.168.0.2],1585 PR tcp len 20 40 -R 750297705 0 0 IN > > Aug 18 12:47:56 lorne ipmon[54]: 12:47:56.513019 dc0 @0:6 b > cs45.msg.sc5.yahoo.com[216.136.233.132],mmcc -> > spike[192.168.0.2],1585 PR tcp len 20 40 -R 750297705 0 0 IN > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003401c2471a$378c2b50$2d01a8c0>