Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 19 Aug 2002 10:49:04 +1000
From:      "Leigh V" <leighv@roq.com>
To:        <freebsd-questions@FreeBSD.ORG>, "Jim Arnold" <jarnold@knightridder.com>
Subject:   Re: IPFilter/IPnat huge packet losses
Message-ID:  <003401c2471a$378c2b50$2d01a8c0@michael>
References:  <a05111b00b9858709f683@[192.168.0.4]>

next in thread | previous in thread | raw e-mail | index | archive | help
Hmm I don't know whats wrong. A quick glance at your ruleset and it looked
ok
You can try my ipfilter / ipnat setup script www.roq.com/bsd/ which I have
had a number of emails back claiming success.

----- Original Message -----
From: "Jim Arnold" <jarnold@knightridder.com>
To: <freebsd-questions@FreeBSD.ORG>
Sent: Monday, August 19, 2002 4:00 AM
Subject: IPFilter/IPnat huge packet losses


> Currently I run "The Wall," a floppy-based FreeBSD distro that uses
> IPFW and natd. This
> setup has worked wonderfully. I don't have packet losses with this
> setup from the firewall
> or inside the lan.
>
> A few weeks ago I acquired a pentium 233 box and decided to see if I could
load
> FreeBSD stable and use IPFilter and ipnat as my firewall. The system
> install and upgrade
> to 4.6 stable with a kernel recompile was a breeze. Getting IPfilter
> to work is another matter...
>
> Right now I'm seeing packet losses from anywhere in the 20 to 80
> percent range when pinging
> an outside host from inside the firewall. From the firewall itself I
> get 0% packet losses.
>
> On the box using IPFW and natd I don't see packet losses at all from
> the firewall itself of from a
> any box inside the firewall.
>
> The IPfilter box has a linksys lne-100tx card for the external and an
> intel ee pro for the internal.
> I had a neatgear card that I tried as well and could not do any
> better. So I don't think it's a card issue itself.
>
> When I first booted up the new firewall I was seeing 80% packet
> losses. After running ipf -y my
> packet losses dropped down to 40%.
>
> I've posted all the relevant information I could think of below to
> help troubleshoot this.
> I like how the rule sets for IPfilter are written but if it doesn't
> work I guess it's time to IPFW on this box or just stay with what
> I've got in the diskless box.
>
> Thanks for any help.
> Jim
>
> ===
> My ipf.rules file below. I had been using the rules from Marty Schlater's
guide
> at http://www.schlacter.dyndns.org/, but a google search turned up
> that these rules
> aren't quite right and need to be tweaked to add an "S" flag for tcp
> connections.
> See
>
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=9o2lf5%24191e%241%40
FreeBSD.csie.NCTU.edu.tw&rnum=2
>
>
> # generic to all interfaces
>      block in log quick all with opt lsrr
>      block in log quick all with opt ssrr
>      block in log quick all with ipopts
>      block in log quick proto tcp all with short
>      block in log quick proto icmp all with frag
> #
> # rules for the external dc0 interface
> # set up default deny on external interface:
>      block in log on dc0 all
>      block return-rst in log quick on dc0 proto tcp all flags S
>      block return-icmp-as-dest(port-unr) in log quick on dc0 proto udp all
> # now keep state at the external interface on outgoing traffic:
>      pass out quick on dc0 proto tcp from any to any flags S keep state
>      pass out quick on dc0 proto udp from any to any keep state
>      pass out quick on dc0 proto icmp from any to any keep state
>      pass out quick on dc0 from any to any
> #
> # rules for the internal fxp0 interface
> # let the internal and loopback interfaces run free, but
> # squelch the netbios stuff so it doesn't create ipf states:
>      block in quick on fxp0 from any to any port = 137
>      block in quick on fxp0 from any to any port = 138
>      block in quick on fxp0 from any to any port = 139
>      block in quick on fxp0 from any port = 137 to any
>      block in quick on fxp0 from any port = 138 to any
>      block in quick on fxp0 from any port = 139 to any
>      pass in quick on fxp0 all
>      pass out quick on fxp0 all
>      pass in quick on lo0 all
>      pass out quick on lo0 all
> # eof
>
> ===
>
> lorne# more /etc/ipnat.rules
> map dc0 192.168.0.0/24 -> 0/32
>
> ====
>
> lorne# netstat -m
> 132/176/4096 mbufs in use (current/peak/max):
>          130 mbufs allocated to data
>          2 mbufs allocated to packet headers
> 128/144/1024 mbuf clusters in use (current/peak/max)
> 332 Kbytes allocated to network (10% of mb_map in use)
> 0 requests for memory denied
> 0 requests for memory delayed
> 0 calls to protocol drain routines
>
> ====
>
> lorne# netstat -nr
> Routing tables
>
> Internet:
> Destination        Gateway            Flags    Refs      Use  Netif Expire
> default            204.210.211.1      UGSc        1       90    dc0
> 127.0.0.1          127.0.0.1          UH          1        0    lo0
> 192.168.0          link#1             UC          3        0   fxp0
> 192.168.0.2        00:d0:b7:14:13:43  UHLW        3       51   fxp0    974
> 192.168.0.4        00:30:65:b2:d1:04  UHLW        1      669   fxp0    348
> 192.168.0.99       00:04:5a:76:e7:30  UHLW        0       39   fxp0    974
> 204.210.211        link#2             UC          1        0    dc0
> 204.210.211.1      08:00:3e:03:15:54  UHLW        2        0    dc0   1118
> 204.210.211.15     127.0.0.1          UGHS        0        0    lo0
>
> =====
>
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>          inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
>          ether 00:02:b3:40:af:6b
>          media: Ethernet autoselect (100baseTX <full-duplex>)
>          status: active
> dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>          inet 204.210.211.XX netmask 0xffffff00 broadcast 255.255.255.255
>          ether 00:04:5a:42:03:32
>          media: Ethernet autoselect (10baseT/UTP)
>          status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>          inet 127.0.0.1 netmask 0xff000000
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
> faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
>
> =====
>
> lorne# ipnat -lv
> List of active MAP/Redirect filters:
> map sis0 192.168.0.0/24 -> 0.0.0.0/32
>
> List of active sessions:
> MAP 192.168.0.2     1158  <- -> 24.93.195.17    1158  [65.24.0.166 53]
>          age 1139 use 0 sumd 0x1ac4/0x1ac4 pr 17 bkt 3/116 flags 2
>          ifp sis0 bytes 376 pkts 4
> MAP 192.168.0.2     1158  <- -> 24.93.195.17    1158  [65.24.0.167 53]
>          age 1077 use 0 sumd 0x1ac4/0x1ac4 pr 17 bkt 43/29 flags 2
>          ifp sis0 bytes 376 pkts 4
> MAP 192.168.0.2     1158  <- -> 24.93.195.17    1158  [65.24.0.169 53]
>          age 1043 use 0 sumd 0x1ac4/0x1ac4 pr 17 bkt 123/109 flags 2
>          ifp sis0 bytes 376 pkts 4
> MAP 192.168.0.2     1158  <- -> 24.93.195.17    1158  [65.24.0.168 53]
>          age 1034 use 0 sumd 0x1ac4/0x1ac4 pr 17 bkt 83/69 flags 2
>          ifp sis0 bytes 1070 pkts 10
> MAP 192.168.0.2     1274  <- -> 24.93.195.17    1274  [207.111.214.245
8080]
>          age 439 use 0 sumd 0x1ac4/0x1ac4 pr 6 bkt 81/51 flags 1
>          ifp sis0 bytes 224 pkts 5
>
> List of active host mappings:
> 192.168.0.2 -> 0.0.0.0 (use = 5 hv = 36)
>
> ======
>
> from dmesg...
>
> net.inet.tcp.blackhole:
> 0
>   ->
> 2
>
> net.inet.udp.blackhole:
> 0
>   ->
> 1
>
> Doing initial network setup:
>   hostname
>   ipmon
>   ipfilter
> 29: cannot use port and neither tcp or udp
> 30: cannot use port and neither tcp or udp
> 31: cannot use port and neither tcp or udp
> 32: cannot use port and neither tcp or udp
> 33: cannot use port and neither tcp or udp
> 34: cannot use port and neither tcp or udp
>   ipnat
> 0 entries flushed from NAT table
> 0 entries flushed from NAT list
> .
> dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>          inet 204.210.211.15 netmask 0xffffff00 broadcast 255.255.255.255
>          ether 00:04:5a:42:03:32
>          media: Ethernet autoselect (10baseT/UTP)
>          status: active
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>          inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
>          ether 00:02:b3:40:af:6b
>          media: Ethernet autoselect (100baseTX <full-duplex>)
>          status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>          inet 127.0.0.1 netmask 0xff000000
> route:
> writing to routing socket
> :
> File exists
> add net default: gateway 24.93.195.1: File exists
> Additional routing options:
>   IP gateway=YES
>   TCP keepalive=YES
> .
>
> ===
>
>
> last few entries from the firewall log:
>
> Aug 18 05:14:26 lorne ipmon[54]: 05:14:26.411617 dc0 @0:7 b
> 67.98.72.16,1230 -> a11d015.neo.rr.com[204.210.211.XX],ms-sql-s PR
> tcp len 20 48 -S 1447744583 0 64512 IN
>
> Aug 18 07:47:44 lorne ipmon[54]: 07:47:43.143692 dc0 @0:7 b
> 61.146.224.238,3852 -> a11d015.neo.rr.com[204.210.211.XX],http PR tcp
> len 20 48 -S 2228540106 0 8760 IN
>
> Aug 18 07:47:44 lorne ipmon[54]: 07:47:44.046655 dc0 @0:7 b
> 61.146.224.238,3852 -> a11d015.neo.rr.com[204.210.211.XX],http PR tcp
> len 20 48 -S 2228540106 0 8760 IN
>
> Aug 18 07:47:45 lorne ipmon[54]: 07:47:45.051356 dc0 @0:7 b
> 61.146.224.238,3852 -> a11d015.neo.rr.com[204.210.211.XX],http PR tcp
> len 20 48 -S 2228540106 0 8760 IN
>
> Aug 18 08:14:01 lorne ipmon[54]: 08:14:01.555803 dc0 @0:7 b
> 5.Red-80-59-213.pooles.rima-tde.net[80.59.213.5],64278 ->
> a11d015.neo.rr.com[204.210.211.XX],http PR tcp len 20 48 -S
> 1946831331 0 16384 IN
>
> Aug 18 12:46:10 lorne ipmon[54]: 12:46:09.100057 dc0 @0:8 b
> a11a.neo.rr.com[204.210.192.1],bootps ->
> a11d015.neo.rr.com[204.210.211.15],bootpc PR udp len 20 337 IN
>
> Aug 18 12:46:52 lorne ipmon[54]: 12:46:52.549116 dc0 @0:6 b
> cs45.msg.sc5.yahoo.com[216.136.233.132],mmcc ->
> spike[192.168.0.2],1585 PR tcp len 20 40 -R 750297705 0 0 IN
>
> Aug 18 12:47:56 lorne ipmon[54]: 12:47:56.513019 dc0 @0:6 b
> cs45.msg.sc5.yahoo.com[216.136.233.132],mmcc ->
> spike[192.168.0.2],1585 PR tcp len 20 40 -R 750297705 0 0 IN
>
>
>
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003401c2471a$378c2b50$2d01a8c0>