Date: Mon, 18 Feb 2002 03:41:12 -0500 From: "Michael R. Wayne" <wayne@staff.msen.com> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Odd ipfw behaviour Message-ID: <20020218034112.D96593@staff.msen.com> In-Reply-To: <20020216004721.B36782@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Sat, Feb 16, 2002 at 12:47:21AM -0800 References: <200202152309.SAA00831@manor.msen.com> <20020216004721.B36782@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Feb 16, 2002 at 12:47:21AM -0800, Crist J. Clark wrote: > On Fri, Feb 15, 2002 at 06:09:51PM -0500, Michael R. Wayne wrote: > > > Using this ipfw rule on ProxyFirewall: > > fwd $(squid-box) log tcp from $(windows-box) to any 80 > > and checking the logs on ProxyFirewall, I see this horrible mess: > > > > ipfw: 11005 Forward to SQUIDbox TCP BROWSERbox:1631 216.136.204.21:80 in via fxp1 > > ipfw: 11005 Forward to SQUIDbox TCP BROWSERbox:1631 216.136.204.21:80 out via fxp0 <---!!! > > ipfw: 11005 Forward to SQUIDbox TCP BROWSERbox:1631 216.136.204.21:80 in via fxp1 > > ipfw: 11005 Forward to SQUIDbox TCP BROWSERbox:1631 216.136.204.21:80 out via fxp1 > > ipfw: 60000 Deny ICMP:5.1 ProxyFirewall BROWSERbox out via fxp1 > > ipfw: 60000 Deny ICMP:5.1 ProxyFirewall SQUIDbox out via fxp1 > > last message repeated 31 times > > > > This, of course, causes terrible performance as the packets destined > > for the local net bounce out the default interface. It can be > > corrected by specifying an interface in the fwd rule: > > fwd $(squid-box) log tcp from $(windows-box) to any 80 via fxp1 > > > > Is it expected behaviour for ipfw to disregard routing and put > > packets out on interfaces where they have no chance of being properly > > delivered (which would be odd) or is this a bug? > > I believe you are misinterpretting the logs. Each of those log entries > is saying, OK, it's possible that I was imprecise initially. But: 1) It is the case that the rule w/o the interface causes terrible performance for squid and adding the "via fxp1" corrects it. 2) Since SQUIDbox is on the same net as fxp1, can you please explain the second log rule? How can fxp0 be involved at all? Supposedly, the packet went OUT on fxp0, triggering the rule. This is wrong. 3) Note the 33 ICMP errors that are going on. Something is really borked. Again, adding the "via fxp1" corrects this too. > "At rule 11005 I am forwarding this packet to SQUIDbox. The packet > that triggered this rule was TCP BROWSERbox:1631 216.136.204.21:80 > that came (out of|into) to the firewall via interface (fxp0|fxp1)" > > That is, the 'via fxp?' at the end is telling you about the packet > that _triggered_ the rule, not where the packet was actually forwared > to. If you sniffed the connection, I expect that you would have seen > four packets go from the firewall to SQUIDbox. This is a good point. I'll fire up the packet sniffers and capture what is going on. But, that second line and the ICMP errors still have me concerned. And, as I mentioned, w/o the "via fxp1", the performance is terrible (takes about 10 seconds to bring up a page that is just across the link). I have to believe that other people have attempted to use ipfw & squid and given up when they saw the poor performance, failing to investigae further. /\/\ \/\/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020218034112.D96593>