From owner-freebsd-net Sun Dec 3 23:29:19 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 3 23:29:17 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from operamail.com (OperaMail.com [199.29.68.79]) by hub.freebsd.org (Postfix) with ESMTP id 425C237B400 for ; Sun, 3 Dec 2000 23:29:17 -0800 (PST) X-WM-Posted-At: operamail.com; Mon, 4 Dec 00 02:29:16 -0500 X-WebMail-UserID: whelkman Date: Mon, 4 Dec 2000 02:29:16 -0500 Sender: Robert Kosinski From: Robert Kosinski To: freebsd-net@freebsd.org X-EXP32-SerialNo: 00000000 Subject: Odd TCP / DNS behavior in 4.x Message-ID: <3A2B9094@operamail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: InterChange (Hydra) SMTP v3.61.08 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greets to all. I posted this message in freebsd-questions before but did not receive a response; I am hoping this list may be more appropriate for this situation. I am using FreeBSD 4.2-STABLE (CTM 4.0342), but this problem has persisted throughout several upgrades of the machine. This box is used as a packet filtering firewall with network address translation for a small, private class-C network (192.168.0.0/24). Besides a minor problem with ICQ logging off about every ten minutes and then coming back on, all machines behind the firewall have as normal TCP, UDP, etc. access as you could expect from NAT. The problem is: TCP access on the actual FreeBSD machine is flaky at best. For some reason, I can only connect to about 50% of all sites I have attempted. This problem affects FTP (and the ports collection), HTTP (and the Squid proxy), and probably all TCP-based traffic. The same 50% of the sites I cannot access remain constant. ICMP (ping and traceroute) seems not affected. What appears to happen on the "dead" sites is a DNS lookup and an eventual timeout. The same DNS servers are used by the FreeBSD machine as well as machines behind the firewall, so I do not believe I am a victim of defective DNS servers. Manually resolving the IPs of affected sites and attempting to connect to the IP results in failure as well. I know this is not a problem with the NAT configuration because I have shut off NAT completely and used the FreeBSD machine as a regular client. Of course the problem persists. I have to load at least a minimal IPFW rule set since the machine's ports are closed by default. For now, I am using a minor variation of the "open" rule set from FreeBSD's default rc.firewall. Neither the original rc.firewall rule set nor the set I'm using result in proper communication from the physical FreeBSD machine. For record, the IPFW rule set is /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via tun0 /sbin/ipfw add pass all from any to any /sbin/ipfw add 100 pass all from any to any via lo0 /sbin/ipfw add 200 deny all from any to 127.0.0.0/8 and the natd rule set is log no deny_incoming no same_ports yes dynamic yes verbose no interface tun0 redirect_port tcp 192.168.0.2:2000-2020 2000-2020 Any help would be greatly appreciated. I am utterly stumpted as to what is causing this error, and I am out of ideas. Thank you all for your time and consideration. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message