From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 23 07:49:41 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE3D116A4CE for ; Mon, 23 Aug 2004 07:49:40 +0000 (GMT) Received: from t3.etype.net (smtp.enet.ru [195.135.213.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 319F443D31 for ; Mon, 23 Aug 2004 07:49:38 +0000 (GMT) (envelope-from igor@garant.koenig.ru) Received: from localhost (t3.etype.net [127.0.0.1]) by t3.etype.net (Postfix) with ESMTP id B70F82381D7 for ; Mon, 23 Aug 2004 10:49:34 +0300 (EEST) Received: from t3.etype.net ([127.0.0.1]) by localhost (t3.etype.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06289-21 for ; Mon, 23 Aug 2004 10:49:30 +0300 (EEST) Received: from garant.koenig.ru (unknown [195.135.212.93]) by t3.etype.net (Postfix) with ESMTP for ; Mon, 23 Aug 2004 10:49:30 +0300 (EEST) Received: from igor.garant.koenig.ru (igor.garant.koenig.ru [100.100.100.156]) by garant.koenig.ru (8.12.10/8.12.10) with ESMTP id i7N7lC7W056384 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Mon, 23 Aug 2004 10:47:16 +0300 (EEST) (envelope-from igor@garant.koenig.ru) From: Igor Popov To: freebsd-ipfw@freebsd.org Date: Mon, 23 Aug 2004 10:46:57 +0200 User-Agent: KMail/1.5.4 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200408231046.57543.igor@garant.koenig.ru> X-Virus-Scanned: clamd / ClamAV version devel-20040726, clamav-milter version 0.74a on ns.garant.koenig.ru X-Virus-Status: Clean Subject: Too many droped packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 07:49:41 -0000 hi, I have FreeBSD-5.2.1-p9 on my network as inet gateway: fxp0 is my internal iface, fxp0:0 is alias for jail, where squid lives in and tun0 is my external iface. And there is my ruleset: #!/bin/sh # ############ # Set quiet mode if requested # case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" ;; *) fwcmd="/sbin/ipfw" ;; esac ############ # Flush out the list before we begin. # ${fwcmd} -f flush ########### # Limit incoming traffic rate ${fwcmd} disable one_pass ${fwcmd} add 300 pipe 1 ip from any to any in recv fxp0 ${fwcmd} pipe 1 config bw 8MByte/s queue 50 gred 0.005/35/45/0.2 ########### # Antispoofing rule ${fwcmd} add deny log all from any to any not verrevpath in ########### # Bad packets ${fwcmd} add deny log all from any to any iplen 0-20 in ${fwcmd} add deny log all from any to any ipoptions ssrr,lsrr in ############ # Setup loppback # Only in rare cases do you want to change these rules ${fwcmd} add pass all from any to any via lo0 ${fwcmd} add deny all from any to 127.0.0.0/8 ${fwcmd} add deny ip from 127.0.0.0/8 to any ########### # Divert all packets through the tunnel interface. #${fwcmd} add divert natd ip from any to any via tun0 ########### # Allow all connections that have dynamic rules built for them, # but deny established connections that don't have a dynamic rule. ${fwcmd} add check-state ${fwcmd} add deny log tcp from any to any established ########### # Allow all connections from my network card that I initiate ${fwcmd} add allow tcp from me to 192.168.0.0/24 out xmit fxp0 setup keep-state ${fwcmd} add deny tcp from me to 192.168.0.0/24 out xmit fxp0 ${fwcmd} add allow ip from me to 192.168.0.0/24 out xmit fxp0 keep-state ########### # Allow all connections from my inet ppp interface that I initiate ${fwcmd} add allow tcp from me to any out xmit tun0 setup keep-state ${fwcmd} add allow ip from me to any out xmit tun0 keep-state ############ # Everyone on the localnet is allowed to connect to the following # services on the machine. This string specifically allows connections # to sshd, smtp, dns, pop3, imap, squid. ${fwcmd} add allow tcp from 192.168.0.0/24 to me dst-port ssh,smtp,domain,pop3,imap,3128 in recv fxp0 setup keep-state ${fwcmd} add allow udp from 192.168.0.0/24 to me dst-port domain in recv fxp0 keep-state ############ # Enable ICMP # Deny and log all pings from inet and localnet ${fwcmd} add deny log icmp from any to any icmptypes 8,13 in recv any ${fwcmd} add allow icmp from me to any keep-state ${fwcmd} add allow icmp from 192.168.0.0/24 to me in recv fxp0 keep-state ########### #Allow IPSec (AH and ESP protocols with isakmp) ${fwcmd} add allow ah from me to 192.168.0.0/24 out via fxp0 keep-state ${fwcmd} add allow esp from me to 192.168.0.0/24 out via fxp0 keep-state ${fwcmd} add allow ah from 192.168.0.0/24 to me in via fxp0 keep-state ${fwcmd} add allow esp from 192.168.0.0/24 to me in via fxp0 keep-state ${fwcmd} add allow log udp from 192.168.0.0/24 to me src-port isakmp dst-port isakmp in recv fxp0 keep-state ############ # This sends a RESET to all ident packets. ${fwcmd} add reset log tcp from any to me 113 in recv fxp0 ############ # Deny all the rest. ${fwcmd} add deny log ip from any to any And problem that I see too many dropped conections via rule (${fwcmd} add deny log tcp from any to any established) from my squid via ext iface (tun0) -- Tonight's the night: Sleep in a eucalyptus tree.