From owner-freebsd-questions Wed Nov 29 21: 3: 8 2000 Delivered-To: freebsd-questions@freebsd.org Received: from operamail.com (OperaMail.com [199.29.68.79]) by hub.freebsd.org (Postfix) with ESMTP id BC15E37B402 for ; Wed, 29 Nov 2000 21:03:05 -0800 (PST) X-WM-Posted-At: operamail.com; Thu, 30 Nov 00 00:03:05 -0500 X-WebMail-UserID: whelkman Date: Thu, 30 Nov 2000 00:03:05 -0500 From: Robert Kosinski To: questions@freebsd.org X-EXP32-SerialNo: 00000000 Subject: Odd TCP / DNS behavior in 4.x Message-ID: <3A2B6490@operamail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: InterChange (Hydra) SMTP v3.61.08 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Greets to all. I am using FreeBSD 4.2-STABLE (CTM 4.0342), but this problem has persisted throughout several upgrades of the machine. This box is used as a packet filtering firewall with network address translation for a small, private class-C network (192.168.0.0/24). Besides a minor problem with ICQ logging off about every ten minutes and then coming back on, all machines behind the firewall have as normal TCP, UDP, etc. access as you could expect from NAT. The problem is: TCP access on the actual FreeBSD machine is flaky at best. For some reason, I can only connect to about 50% of all sites I have attempted. This problem affects FTP (and the ports collection), HTTP (and the Squid proxy), and probably all TCP-based traffic. The same 50% of the sites I cannot access remain constant. ICMP seems not affected. What appears to happen on the "dead" sites is a DNS lookup and an eventual timeout. The same DNS servers are used by the FreeBSD machine as well as machines behind the firewall, so I do not believe I am a victim of defective DNS servers. I know this is not a problem with the NAT configuration because I have shut off NAT completely and used the FreeBSD machine as a regular client. Of course the problem persists. I have to load at least a minimal IPFW rule set since the machine's ports are closed by default. For now, I am using a minor variation of the "open" rule set from FreeBSD's default rc.firewall. Neither the original rc.firewall rule set nor the set I'm using result in proper communication from the physical FreeBSD machine. For record, the IPFW rule set is /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via tun0 /sbin/ipfw add pass all from any to any /sbin/ipfw add 100 pass all from any to any via lo0 /sbin/ipfw add 200 deny all from any to 127.0.0.0/8 and the natd rule set is log no deny_incoming no same_ports yes dynamic yes verbose no interface tun0 redirect_port tcp 192.168.0.2:2000-2020 2000-2020 Any help would be greatly appreciated. I'm not sure if this query was "technical" enough for the net list, so I posted it here. Apologies if posting to this list was in error. Any help would be greatly appreciated. I'm not sure if this query was "technical" enough for the net list, so I posted it here. Apologies if posting to this list was in error. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message