On Wed, 11 Jul 2007 09:42:22 -0400, Stephen Clark wrote > viper wrote: > > >On Tue, 10 Jul 2007 15:59:46 -0400, Stephen Clark wrote > > > > > >>Hello List, > >> > >>I posted a while ago that our testers of our network appliance were > >>complaining > >>that browsing was slower when using our appliance based on 6.x as > >>compared to > >>our appliance using 4.9 FreeBSD. > >> > >>Well it turns out they were right! After spending much time trying > >>to figure out what was going on we discovered that all http traffic > >>was being routed thru the ipf ftp proxy module. > >> > >>Does anyone know why this is happening? > >>******************************************************************************** > >>Here is 4.9 > >>******************************************************************************** > >>H101491# ipnat -l > >>List of active MAP/Redirect filters: > >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 proxy port ftp ftp/tcp > >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 portmap tcp/udp > >>40000:60000 > >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 > >> > >>List of active sessions: > >>MAP 192.168.1.9 2949 <- -> 10.0.133.44 40075 [64.154.83.47 80] > >>MAP 192.168.1.9 2948 <- -> 10.0.133.44 40074 [209.67.78.5 > >>80] MAP 192.168.1.9 2947 <- -> 10.0.133.44 40073 > >>[216.168.252.103 443] MAP 192.168.1.9 2946 <- -> 10.0.133.44 > >> 40072 [65.243.74.133 80] MAP 192.168.1.9 2945 <- -> > >>10.0.133.44 40071 [216.168.252.103 443] MAP 192.168.1.9 2944 > >> <- -> 10.0.133.44 40070 [66.155.171.116 80] MAP 192.168.1.9 > >>2943 <- -> 10.0.133.44 40069 [64.9.212.6 80] MAP 192.168.1.9 > >> 2942 <- -> 10.0.133.44 40068 [209.104.135.123 80] MAP > >>192.168.1.9 2941 <- -> 10.0.133.44 40067 [65.243.74.133 80] > >>MAP 192.168.1.9 2940 <- -> 10.0.133.44 40066 [65.243.74.133 > >>80] MAP 192.168.1.9 2939 <- -> 10.0.133.44 40065 > >>[65.243.74.133 80] MAP 192.168.1.9 2938 <- -> 10.0.133.44 > >>40064 [216.239.51.95 80] MAP 192.168.1.9 2924 <- -> 10.0.133.44 > >> 40050 [64.233.169.99 80] MAP 192.168.1.9 2922 <- -> > >>10.0.133.44 40048 [64.233.169.99 80] MAP 192.168.1.9 2920 <- > >> -> 10.0.133.44 40046 [64.233.169.147 80] MAP 192.168.1.9 > >> 1031 <- -> 10.0.133.44 40045 [198.6.1.2 53] MAP 192.168.1.9 > >> 2884 <- -> 10.0.133.44 40012 [207.159.120.157 80] > >> > >> > >> > >> > >************************************************************************************ > > > > > >>Here is 6.2 > >>Notice in the mappings for port 80 the source port is not being > >>mapped into the 40000:60000 range. Also notice that the ftp proxy > >>thought it found something and dumps out some diags. > >> > >> > >************************************************************************************ > > > > > >>H101490# ipnat -l > >>List of active MAP/Redirect filters: > >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 proxy port ftp ftp/tcp > >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 portmap tcp/udp > >>40000:60000 > >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 > >> > >>List of active sessions: > >>MAP 192.168.1.88 1397 <- -> 10.0.133.77 1397 [64.154.83.47 80] > >>MAP 192.168.1.88 1396 <- -> 10.0.133.77 1396 [209.67.78.5 > >>80] MAP 192.168.1.88 1395 <- -> 10.0.133.77 1395 > >> [216.168.252.103 443] MAP 192.168.1.88 1394 <- -> 10.0.133.77 > >> 1394 [216.168.252.103 443] MAP 192.168.1.88 1393 <- -> > >>10.0.133.77 1393 [65.243.74.144 80] MAP 192.168.1.88 1392 <- > >> -> 10.0.133.77 1392 [65.243.74.144 80] MAP 192.168.1.88 > >>1378 <- -> 10.0.133.77 1378 [64.233.169.103 80] proxy > >>ftp/6 use -54 flags 0 proto 6 flags 0 bytes 0 pkts 0 > >>data YES size 312 FTP Proxy: passok: 1 Client: > >> seq 0 (ack 0) len 0 junk 0 cmds 0 > >> buf [\000] > >> Server: > >> seq 2b451493 (ack 0) len 0 junk 0 cmds 0 > >> buf [\000] > >>MAP 192.168.1.88 1391 <- -> 10.0.133.77 1391 [65.205.8.52 > >>80] MAP 192.168.1.88 1390 <- -> 10.0.133.77 1390 > >> [65.203.229.71 80] MAP 192.168.1.88 1389 <- -> 10.0.133.77 > >> 1389 [72.247.8.26 80] MAP 192.168.1.88 1388 <- -> 10.0.133.77 > >> 1388 [216.239.51.93 80] MAP 192.168.1.88 1033 <- -> > >>10.0.133.77 40000 [198.6.1.2 53] > >> > >>-- > >> > >>"They that give up essential liberty to obtain temporary safety, > >>deserve neither liberty nor safety." (Ben Franklin) > >> > >>"The course of history shows that as a government grows, liberty > >>decreases." (Thomas Jefferson) > >> > >> > >> > >Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32 proxy port > >21 ftp/tcp" > >It`s feature. > >_______________________ > >Best regards, > >VipeR > > > > > > > > > > Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32 > proxy port 21 ftp/tcp" > > you know this works but if I use the same line but use "proxy port ftp" > instead of "proxy port 21" I get: > map rl1 from 192.168.1.0/24 to any port = 5376 -> 10.0.133.77/32 > proxy port 5376 ftp/tcp > > Go figure. Again, this is known feature. The truth is similar to the bug.
_______________________ Best regards, VipeR _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
