Date: Sun, 18 Aug 2002 14:00:24 -0400 From: Jim Arnold <jarnold@knightridder.com> To: freebsd-questions@freebsd.org Subject: IPFilter/IPnat huge packet losses Message-ID: <a05111b00b9858709f683@[192.168.0.4]>
next in thread | raw e-mail | index | archive | help
Currently I run "The Wall," a floppy-based FreeBSD distro that uses IPFW and natd. This setup has worked wonderfully. I don't have packet losses with this setup from the firewall or inside the lan. A few weeks ago I acquired a pentium 233 box and decided to see if I could load FreeBSD stable and use IPFilter and ipnat as my firewall. The system install and upgrade to 4.6 stable with a kernel recompile was a breeze. Getting IPfilter to work is another matter... Right now I'm seeing packet losses from anywhere in the 20 to 80 percent range when pinging an outside host from inside the firewall. From the firewall itself I get 0% packet losses. On the box using IPFW and natd I don't see packet losses at all from the firewall itself of from a any box inside the firewall. The IPfilter box has a linksys lne-100tx card for the external and an intel ee pro for the internal. I had a neatgear card that I tried as well and could not do any better. So I don't think it's a card issue itself. When I first booted up the new firewall I was seeing 80% packet losses. After running ipf -y my packet losses dropped down to 40%. I've posted all the relevant information I could think of below to help troubleshoot this. I like how the rule sets for IPfilter are written but if it doesn't work I guess it's time to IPFW on this box or just stay with what I've got in the diskless box. Thanks for any help. Jim === My ipf.rules file below. I had been using the rules from Marty Schlater's guide at http://www.schlacter.dyndns.org/, but a google search turned up that these rules aren't quite right and need to be tweaked to add an "S" flag for tcp connections. See http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=9o2lf5%24191e%241%40FreeBSD.csie.NCTU.edu.tw&rnum=2 # generic to all interfaces block in log quick all with opt lsrr block in log quick all with opt ssrr block in log quick all with ipopts block in log quick proto tcp all with short block in log quick proto icmp all with frag # # rules for the external dc0 interface # set up default deny on external interface: block in log on dc0 all block return-rst in log quick on dc0 proto tcp all flags S block return-icmp-as-dest(port-unr) in log quick on dc0 proto udp all # now keep state at the external interface on outgoing traffic: pass out quick on dc0 proto tcp from any to any flags S keep state pass out quick on dc0 proto udp from any to any keep state pass out quick on dc0 proto icmp from any to any keep state pass out quick on dc0 from any to any # # rules for the internal fxp0 interface # let the internal and loopback interfaces run free, but # squelch the netbios stuff so it doesn't create ipf states: block in quick on fxp0 from any to any port = 137 block in quick on fxp0 from any to any port = 138 block in quick on fxp0 from any to any port = 139 block in quick on fxp0 from any port = 137 to any block in quick on fxp0 from any port = 138 to any block in quick on fxp0 from any port = 139 to any pass in quick on fxp0 all pass out quick on fxp0 all pass in quick on lo0 all pass out quick on lo0 all # eof === lorne# more /etc/ipnat.rules map dc0 192.168.0.0/24 -> 0/32 ==== lorne# netstat -m 132/176/4096 mbufs in use (current/peak/max): 130 mbufs allocated to data 2 mbufs allocated to packet headers 128/144/1024 mbuf clusters in use (current/peak/max) 332 Kbytes allocated to network (10% of mb_map in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines ==== lorne# netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 204.210.211.1 UGSc 1 90 dc0 127.0.0.1 127.0.0.1 UH 1 0 lo0 192.168.0 link#1 UC 3 0 fxp0 192.168.0.2 00:d0:b7:14:13:43 UHLW 3 51 fxp0 974 192.168.0.4 00:30:65:b2:d1:04 UHLW 1 669 fxp0 348 192.168.0.99 00:04:5a:76:e7:30 UHLW 0 39 fxp0 974 204.210.211 link#2 UC 1 0 dc0 204.210.211.1 08:00:3e:03:15:54 UHLW 2 0 dc0 1118 204.210.211.15 127.0.0.1 UGHS 0 0 lo0 ===== fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:02:b3:40:af:6b media: Ethernet autoselect (100baseTX <full-duplex>) status: active dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 204.210.211.XX netmask 0xffffff00 broadcast 255.255.255.255 ether 00:04:5a:42:03:32 media: Ethernet autoselect (10baseT/UTP) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500 ===== lorne# ipnat -lv List of active MAP/Redirect filters: map sis0 192.168.0.0/24 -> 0.0.0.0/32 List of active sessions: MAP 192.168.0.2 1158 <- -> 24.93.195.17 1158 [65.24.0.166 53] age 1139 use 0 sumd 0x1ac4/0x1ac4 pr 17 bkt 3/116 flags 2 ifp sis0 bytes 376 pkts 4 MAP 192.168.0.2 1158 <- -> 24.93.195.17 1158 [65.24.0.167 53] age 1077 use 0 sumd 0x1ac4/0x1ac4 pr 17 bkt 43/29 flags 2 ifp sis0 bytes 376 pkts 4 MAP 192.168.0.2 1158 <- -> 24.93.195.17 1158 [65.24.0.169 53] age 1043 use 0 sumd 0x1ac4/0x1ac4 pr 17 bkt 123/109 flags 2 ifp sis0 bytes 376 pkts 4 MAP 192.168.0.2 1158 <- -> 24.93.195.17 1158 [65.24.0.168 53] age 1034 use 0 sumd 0x1ac4/0x1ac4 pr 17 bkt 83/69 flags 2 ifp sis0 bytes 1070 pkts 10 MAP 192.168.0.2 1274 <- -> 24.93.195.17 1274 [207.111.214.245 8080] age 439 use 0 sumd 0x1ac4/0x1ac4 pr 6 bkt 81/51 flags 1 ifp sis0 bytes 224 pkts 5 List of active host mappings: 192.168.0.2 -> 0.0.0.0 (use = 5 hv = 36) ====== from dmesg... net.inet.tcp.blackhole: 0 -> 2 net.inet.udp.blackhole: 0 -> 1 Doing initial network setup: hostname ipmon ipfilter 29: cannot use port and neither tcp or udp 30: cannot use port and neither tcp or udp 31: cannot use port and neither tcp or udp 32: cannot use port and neither tcp or udp 33: cannot use port and neither tcp or udp 34: cannot use port and neither tcp or udp ipnat 0 entries flushed from NAT table 0 entries flushed from NAT list . dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 204.210.211.15 netmask 0xffffff00 broadcast 255.255.255.255 ether 00:04:5a:42:03:32 media: Ethernet autoselect (10baseT/UTP) status: active fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:02:b3:40:af:6b media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 route: writing to routing socket : File exists add net default: gateway 24.93.195.1: File exists Additional routing options: IP gateway=YES TCP keepalive=YES . === last few entries from the firewall log: Aug 18 05:14:26 lorne ipmon[54]: 05:14:26.411617 dc0 @0:7 b 67.98.72.16,1230 -> a11d015.neo.rr.com[204.210.211.XX],ms-sql-s PR tcp len 20 48 -S 1447744583 0 64512 IN Aug 18 07:47:44 lorne ipmon[54]: 07:47:43.143692 dc0 @0:7 b 61.146.224.238,3852 -> a11d015.neo.rr.com[204.210.211.XX],http PR tcp len 20 48 -S 2228540106 0 8760 IN Aug 18 07:47:44 lorne ipmon[54]: 07:47:44.046655 dc0 @0:7 b 61.146.224.238,3852 -> a11d015.neo.rr.com[204.210.211.XX],http PR tcp len 20 48 -S 2228540106 0 8760 IN Aug 18 07:47:45 lorne ipmon[54]: 07:47:45.051356 dc0 @0:7 b 61.146.224.238,3852 -> a11d015.neo.rr.com[204.210.211.XX],http PR tcp len 20 48 -S 2228540106 0 8760 IN Aug 18 08:14:01 lorne ipmon[54]: 08:14:01.555803 dc0 @0:7 b 5.Red-80-59-213.pooles.rima-tde.net[80.59.213.5],64278 -> a11d015.neo.rr.com[204.210.211.XX],http PR tcp len 20 48 -S 1946831331 0 16384 IN Aug 18 12:46:10 lorne ipmon[54]: 12:46:09.100057 dc0 @0:8 b a11a.neo.rr.com[204.210.192.1],bootps -> a11d015.neo.rr.com[204.210.211.15],bootpc PR udp len 20 337 IN Aug 18 12:46:52 lorne ipmon[54]: 12:46:52.549116 dc0 @0:6 b cs45.msg.sc5.yahoo.com[216.136.233.132],mmcc -> spike[192.168.0.2],1585 PR tcp len 20 40 -R 750297705 0 0 IN Aug 18 12:47:56 lorne ipmon[54]: 12:47:56.513019 dc0 @0:6 b cs45.msg.sc5.yahoo.com[216.136.233.132],mmcc -> spike[192.168.0.2],1585 PR tcp len 20 40 -R 750297705 0 0 IN To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a05111b00b9858709f683>