Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 9 Feb 2004 11:30:48 +0200 (SAST)
From:      Wayne Swart <wayne@fixx.co.za>
To:        FreeBSD Mailing List <freebsd-questions@FreeBSD.ORG>
Subject:   slow ipfw rules
Message-ID:  <20040209112634.S427@gemini.fixx.co.za>

next in thread | raw e-mail | index | archive | help
Helo everyone

I have a nat box with a default to deny ruleset, but whenever i ftp
through it i get a transfer rate of + - 3kb/s (over lan)

Below are what i have in my firewall script:


ipfw disable firewall
ipfw -f flush

int_if=fxp0
ext_if=rl0

# IPFW Count Rules for MRTG
ipfw add 10001 count ip from 10.0.5.100 to any via $int_if
ipfw add 10002 count ip from any to 10.0.5.100 via $int_if

# NAT
ipfw add divert natd ip from any to any via $ext_if

# Established Rules
ipfw add allow tcp from any to any established

# Squid
ipfw add allow tcp from <someip> to me 8080

# DNS
ipfw add allow udp from any 53 to any
ipfw add allow udp from any to any 53

# NFS Stuff
ipfw add allow all from 10.0.5.252 to any
ipfw add allow all from any to 10.0.5.252

# SNMP
ipfw add allow tcp from <someip> to me 161 in via $ext_if
ipfw add allow udp from <someip> to me 161 in via $ext_if

# FTP
ipfw add allow tcp from any to any 21
ipfw add allow tcp from any to any 20
ipfw add allow tcp from any to any 49152-65535

# Internal Lan
ipfw add reset tcp from 10.0.5.0/24 to any 80
ipfw add allow all from 10.0.5.0/24 to 10.0.5.0/24
ipfw add allow all from any to 10.0.5.0/24
ipfw add allow all from 10.0.5.0/24 to any

# HTTP
ipfw add allow tcp from 10.0.5.0/24 to me 80
ipfw add allow tcp from <someip> to me 80

# ICMP
ipfw add allow icmp from any to any

# SSH
ipfw add allow ip from <someip> to me

# localhost
ipfw add allow all from me to any

# Finally - Enable the firewall again
ipfw enable firewall

I have replaced nic's and everythin but to no avail.
Please help.

Thanks

Wayne

In a world with no boundaries, Who Needs Gates?



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040209112634.S427>