From owner-freebsd-questions  Thu Mar  6  6:52:16 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 69DD437B401
	for <freebsd-questions@freebsd.org>; Thu,  6 Mar 2003 06:52:11 -0800 (PST)
Received: from ms-smtp-02.tampabay.rr.com (ms-smtp-02.tampabay.rr.com [65.32.1.39])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7678F43F75
	for <freebsd-questions@freebsd.org>; Thu,  6 Mar 2003 06:52:10 -0800 (PST)
	(envelope-from ka0ttic@cfl.rr.com)
Received: from ka0ttic (86.107.26.24.cfl.rr.com [24.26.107.86])
	by ms-smtp-02.tampabay.rr.com (8.12.5/8.12.5) with ESMTP id h26Eq8UM001159;
	Thu, 6 Mar 2003 09:52:09 -0500 (EST)
Subject: Re: please help: nntp and gaming with ipfw
From: Aaron Walker <ka0ttic@cfl.rr.com>
To: Bill Moran <wmoran@potentialtech.com>
Cc: freebsd-questions@freebsd.org
In-Reply-To: <3E675628.2090205@potentialtech.com>
References: <1046954586.2146.124.camel@ka0ttic> 
	<3E675628.2090205@potentialtech.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Ximian Evolution 1.0.8 (1.0.8-10) 
Date: 06 Mar 2003 09:50:54 -0500
Message-Id: <1046962255.2156.134.camel@ka0ttic>
Mime-Version: 1.0
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I have cut & paste the entire out put from "ipfw show" and ifconfig at
the bottom of this message.

On Thu, 2003-03-06 at 09:07, Bill Moran wrote:
> Aaron Walker wrote:
> > I have FreeBSD 4.7 running on my old p100 setup as a firewall..
> > everything works except for 2 things: nntp (it somewhat works) and
> > playing a game through the firewall from a windows box (battlefield 1942
> > specifically)
> > 
> > With nntp I can view newsgroups but I get a lot of lag.. more like it
> > freezes.. in mozilla mail when I click on a message on a newsgroup, it
> > just sits there and says "Loading document..." in the status bar.
> > Sometimes it works, but the majority of the time I have that problem  I
> > know it is not mozilla that is the problem because I can produce it on
> > my windows box with other news clients.  Here is the output of "ipfw
> > show | grep 119"
> > 
> > 00425   30925   1359340 allow tcp from any to any 119 keep-state out
> > xmit ep0 setup
> > 00426       0         0 allow udp from any to any 119 keep-state out
> > xmit ep0
> > 00605       0         0 allow tcp from any 119 to any keep-state in recv
> > ep0 setup
> > 00606       0         0 allow udp from any 119 to any keep-state in recv
> > ep0
> > 
> > if its not the firewall and these rules are ok, then what else could it
> > be?
> 
> I have no idea.  There's no way to tell if those rules are OK without the
> rest of the firewall rules.  Are they before or after your divert rule?  Are
> there rules before them that could be cacthing traffic and handling it wrong?
> 
> > With Battlefield 1942.. it uses port 14567.  I cant get this to work at
> > all.
> > 
> > I have the following in my firewall rules:
> > 
> > 00335	0	0 allow tcp from any 14567 to any keep-state out xmit ep0 setup
> > 
> > 00336	0	0 allow udp from any 14567 to any keep-state out xmit ep0
> > 
> > 00620	0	0 allow tcp from any to any 14567 keep-state in recv ep0 setup
> > 
> > 00621	0	0 allow udp from any to any 14567 keep-state in recv ep0
> 
> Same problem ... it's almost impossible to diagnose ifpw problems without the
> entire ipfw ruleset.
> 
> > any ideas what's wrong with these rules?
> 
> I can give you 1000 guesses ...
> 
> > any help is greatly appreciated.
> 
> Please post the entire ruleset as well as the output from ifconfig.  Then we'll
> have enough information to make some guesses as to what's wrong.
> 
> -- 
> Bill Moran
> Potential Technologies
> http://www.potentialtech.com
> 


00100      36      1800 allow ip from any to any via lo0
00110       0         0 deny log logamount 100 ip from any to
127.0.0.0/8
00120       0         0 deny log logamount 100 ip from 127.0.0.0/8 to
any
00130       0         0 allow tcp from 192.168.1.0 22 to 192.168.1.1 22
in recv xl0
00150  500832 388399050 divert 8668 ip from any to any via ep0
00200       0         0 check-state
00210 1101024 807028279 allow ip from any to any keep-state via xl0
00250       0         0 deny ip from any to any in recv ep0 frag
00260    2227    246865 deny tcp from any to any in recv ep0 established
00300  165208   8180966 allow tcp from any to any 80 keep-state out xmit
ep0 setup
00301    2091    533681 allow tcp from any to any 443 keep-state out
xmit ep0 setup
00310       0         0 allow tcp from any to 24.95.227.36 53 keep-state
out xmit ep0 setup
00311    1240     88966 allow udp from any to 24.95.227.36 53 keep-state
out xmit ep0
00312       0         0 allow tcp from any to 24.52.201.67 53 keep-state
out xmit ep0 setup
00313       0         0 allow udp from any to 24.52.201.67 53 keep-state
out xmit ep0
00314       0         0 allow tcp from any to 24.95.227.34 53 keep-state
out xmit ep0 setup
00315       1        67 allow udp from any to 24.95.227.34 53 keep-state
out xmit ep0
00316       0         0 allow tcp from any to 24.95.227.35 53 keep-state
out xmit ep0 setup
00317       0         0 allow udp from any to 24.95.227.35 53 keep-state
out xmit ep0
00330      13      2992 allow tcp from any to any 25 keep-state out xmit
ep0 setup
00331    6080    269163 allow tcp from any to any 110 keep-state out
xmit ep0 setup
00335       0         0 allow tcp from any 14567 to any keep-state out
xmit ep0 setup
00336       0         0 allow udp from any 14567 to any keep-state out
xmit ep0
00340       0         0 allow tcp from me to any uid root keep-state out
xmit ep0 setup
00342       0         0 allow udp from me to any 33435-33500 keep-state
out xmit ep0
00343       0         0 allow log logamount 100 icmp from any to me
limit src-addr 2 in recv ep0 icmptype 3,11
00350      48      4613 allow icmp from any to any keep-state out xmit
ep0
00375      40      1897 allow tcp from me to any 21 keep-state out xmit
ep0 setup
00376      18       728 allow tcp from me to any 10000-65000 keep-state
out xmit ep0 setup
00380       0         0 allow tcp from any to any 22 keep-state out xmit
ep0 setup
00390       0         0 allow tcp from any to any 23 keep-state out xmit
ep0 setup
00396       0         0 allow tcp from any to any 37 keep-state out xmit
ep0 setup
00397       0         0 allow udp from any to any 37 keep-state out xmit
ep0
00400       0         0 allow tcp from any to any 113 keep-state out
xmit ep0 setup
00401       0         0 allow udp from any to any 113 keep-state out
xmit ep0
00410       0         0 allow tcp from any to any 194 keep-state out
xmit ep0 setup
00411       0         0 allow udp from any to any 194 keep-state out
xmit ep0
00412    5066    239724 allow tcp from any to any 5190 keep-state out
xmit ep0
00413       0         0 allow udp from any to any 5190 keep-state out
xmit ep0
00414       0         0 allow tcp from any to any 43 keep-state out xmit
ep0 setup
00415       0         0 allow udp from any to any 43 keep-state out xmit
ep0
00425   31145   1370282 allow tcp from any to any 119 keep-state out
xmit ep0 setup
00426       0         0 allow udp from any to any 119 keep-state out
xmit ep0
00600       0         0 allow tcp from any to any 80 limit src-addr 4 in
recv ep0 setup
00605       0         0 allow tcp from any 119 to any keep-state in recv
ep0 setup
00606       0         0 allow udp from any 119 to any keep-state in recv
ep0
00610      46      2096 allow tcp from any to me 21 limit src-addr 4 in
recv ep0 setup
00611       0         0 allow tcp from any 20 to any 1024-49151 limit
src-addr 4 out xmit ep0 setup00630       0         0 allow tcp from any
to any 14567 keep-state in recv ep0 setup
00635      20      2357 allow log logamount 100 icmp from any to me in
recv ep0 icmptype 0,8
00637       0         0 allow tcp from any to any 5190 keep-state in
recv ep0
00638       0         0 allow udp from any to any 5190 keep-state in
recv ep0
00700       0         0 allow udp from 0.0.0.0 68 to 255.255.255.255 67
in recv ep0
00701       0         0 allow udp from me 68 to 24.95.227.36 67 out xmit
ep0
00702       0         0 allow udp from 24.95.227.36 67 to me 68 in recv
ep0
00705   12534   4438446 deny udp from any to 255.255.255.255 in recv ep0
00706       0         0 deny udp from 0.0.0.0 to any in recv ep0
00720       0         0 deny log logamount 100 icmp from any to any in
recv ep0 icmptype 5
00730       0         0 deny log logamount 100 ip from me to me in recv
ep0
00740       0         0 deny log logamount 100 icmp from any to me in
recv ep0 icmptype 0,8
65535    8042   1163583 deny ip from any to any

ifconfig:

xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::260:8ff:feab:c2fb%xl0 prefixlen 64 scopeid 0x1
        ether 00:60:08:ab:c2:fb
        media: Ethernet 10baseT/UTP <full-duplex>
ep0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet6 fe80::260:8ff:feac:d76a%ep0 prefixlen 64 scopeid 0x2
        inet 24.26.107.86 netmask 0xfffffe00 broadcast 255.255.255.255
        ether 00:60:08:ac:d7:6a
        media: Ethernet 10baseT/UTP
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500

Thanks,
Aaron


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message