Date: Mon, 4 Dec 2000 17:06:12 -0500 From: Robert Kosinski <whelkman@operamail.com> To: Nick Rogness <nick@rapidnet.com> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: RE: Odd TCP / DNS behavior in 4.x Message-ID: <3A2CF65D@operamail.com>
next in thread | raw e-mail | index | archive | help
Thank you for your prompt reply, Mr. Rogness. > Did you try running on different hardware? No, but I do not see how the outgoing device can be at fault. The outgoing device is a US Robotics 56K Voice/Fax modem (yuck, I know). It has given me flawless operation under several operating systems and even appears to function normally under FreeBSD. As I said, there are no problems NAT-ting through the box, just using the FreeBSD machine itself. The only hardware I have to swap in place of it is another USR 56k modem. > Any unusual syslog entries? There aren't any normal syslog entries at all, but if I browse through Squid, I receive the following log entries in access.log several minutes after attempting to access the site: 975964740.216 240966 192.168.0.2 TCP_MISS/504 1039 GET http://litestep.org/ - DIRECT/litestep.org - Of course, I have attempted to connect to litestep.org (which is just a redirect to litestep.net which does not work, either). 975965019.609 241570 192.168.0.2 TCP_MISS/504 1041 GET http://209.116.0.210/ - DIRECT/209.116.0.210 - I resolved litestep.org to its IP, 209.116.0.210, and attempted to connect to that. litestep.org, www.litestep.org, litestep.net, and www.litestep.net all share the same IP. A 504 is a gateway timeout, I know, but that's about all I can say regarding it. Just to refresh, by turning off Squid (which resides on the FreeBSD box) and connecting to a site without it from a machine behind the firewall (i.e. using packet forwarding), the site will load correctly. > Are you running bind? No. > Rule #100 and #200 never get used in the above ruleset. Move them > to before the natd statement. I was wondering about that. I didn't think there was a chance they would get used, either. Truth is, I just ripped that off of FreeBSD Diary and never paid attention to the rules since those and the FreeBSD shipped "open" ruleset function the same as far as connections from the physical FreeBSD machine are concerned. > If you are going to use rule numbers use rule numbers on every rule. > Makes it easier to understand (IMO). I agree. Whenever I get around to writing my own firewall, I will place numbers before each rule, but that firewall isn't mine. > What is the output of `ipfw -a l' ? After moving 100 and 200 above the natd statement per your suggestion, the output is: 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 20 1767 divert 8668 ip from any to any via tun0 00400 274 15868 allow ip from any to any 65535 4 237 deny ip from any to any > Turn off deny_incoming while testing. Done. Well, that's about all I can say for now. Thank you very much for your reply. I appreciate it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A2CF65D>