Hello!
I have a problem with ipfilter and Windows XP while downloading files larger
than ~285kb via HTTP/FTP.
Background:
Im administrating a small office LAN with mainly Win2k workstations, but also
some laptops with Windows XP. The firewall/gateway machine is running
FreeBSD 4.7-STABLE and ipfilter 3.4.29.
The problem:
While downloading files from either FTP or HTTP the downloads freezes at
~285kb for a couple of seconds and in most cases times out, although sometimes
the download will continue and pick up speed again.
HTTP downloads work as they should once in a while, but mostly they do not.
These problems only occure while downloading in XP. HTTP and FTP works
without a glitch from our FreeBSD, AIX, Solaris, Win 2k machines.
To mee it seems that the problem is that the outbound packets from XP gets
blocked while traversing the firewall.
Questions:
Has anyone noticed a similar problem?
Why are the packets blocked in the firewall?
What does the 23x in this line mean?
Mar 6 11:41:35 kerberos ipmon[52]: 11:41:34.313593 23x ste3 @0:1 b 192.168.1.102,4761
-> 192.18.99.122,46753 PR tcp len 20 60 -A 1241247209 154910677 64240 OUT
Environment:
Please tell me if I should post more info, such as full ipf/ipnat rules. I just
thought this mail got long enough as it is. :D
[EMAIL PROTECTED]:~# uname -a
FreeBSD kerberos 4.7-STABLE FreeBSD 4.7-STABLE #0: Tue Nov 12 15:09:20 CET 2002
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/HARDCORE i386
[EMAIL PROTECTED]:~# ipf -V
ipf: IP Filter: v3.4.29 (336)
Kernel: IP Filter: v3.4.29
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 0
ste0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:05:5d:64:b1:a6
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
...
ste3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet xx.xx.95.164 netmask 0xffffffe0 broadcast xx.xx.95.191
inet xx.xx.95.162 netmask 0xffffffff broadcast xx.xx.95.162
ether 00:05:5d:64:b1:a9
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
IPF/IPNAT rules:
These are just the ones I thought relevant.
--- ipf.rules -----------------------------------------------------------------
block in log all
block out log all
block in log quick proto tcp all with opt lsrr
block in log quick proto tcp all with opt ssrr
block in log quick proto tcp all with ipopts
block in log quick proto tcp all with short
# Interface: ste0
block in quick on ste0 proto udp from any to any port = 1900
pass in quick on ste0 all
pass out quick on ste0 all
# Interface: ste3
pass out quick on ste3 proto icmp from any to any keep state
pass out quick on ste3 proto tcp from any to any flags S/SA keep state keep frags
--- ipnat.rules ---------------------------------------------------------------
# Use ipfilter FTP proxy for the firewall
map ste3 0.0.0.0/0 -> xx.xx.95.164/32 proxy port ftp ftp/tcp
# Use ipfilter FTP proxy for hosts behind NAT
map ste3 192.168.1.0/24 -> xx.xx.95.164/32 proxy port ftp ftp/tcp
map ste3 192.168.2.0/24 -> xx.xx.95.164/32 proxy port ftp ftp/tcp
# Map all internal UDP and TCP traffic to the external IP address
map ste3 192.168.1.0/24 -> xx.xx.95.164/32 portmap tcp/udp 30000:49999
map ste3 192.168.2.0/24 -> xx.xx.95.164/32 portmap tcp/udp 50000:59999
# Map all other traffic e.g. ICMP to the external IP address
map ste3 192.168.1.0/24 -> xx.xx.95.164/32
-------------------------------------------------------------------------------
Log entries:
These logs are when using both passive and active ftp on XP from sun.com.
192.168.1.102 is a Windows XP machine. ste3 is the outside interface.
-------------------------------------------------------------------------------
Mar 6 11:40:01 kerberos ipmon[52]: 11:40:01.302757 ste3 @0:1 b 192.168.1.102,4735 ->
192.18.99.122,7629 PR tcp len 20 60 -A 1193579550 3992519893 64240 OUT
Mar 6 11:41:01 kerberos ipmon[52]: 11:41:01.411422 ste3 @0:1 b 192.168.1.102,4735 ->
192.18.99.122,7629 PR tcp len 20 60 -A 1193579550 3992519893 64240 OUT
Mar 6 11:41:34 kerberos ipmon[52]: 11:41:33.799721 17x ste3 @0:1 b 192.168.1.102,4761
-> 192.18.99.122,46753 PR tcp len 20 60 -A 1241247209 154910677 64240 OUT
Mar 6 11:41:35 kerberos ipmon[52]: 11:41:34.313593 23x ste3 @0:1 b 192.168.1.102,4761
-> 192.18.99.122,46753 PR tcp len 20 60 -A 1241247209 154910677 64240 OUT
Mar 6 11:41:37 kerberos ipmon[52]: 11:41:36.633739 ste3 @0:1 b 192.168.1.102,4761 ->
192.18.99.122,46753 PR tcp len 20 52 -A 1241247209 154970373 64240 OUT
Mar 6 11:41:43 kerberos ipmon[52]: 11:41:43.199386 ste3 @0:1 b 192.168.1.102,4761 ->
192.18.99.122,46753 PR tcp len 20 52 -A 1241247209 154970373 64240 OUT
Mar 6 11:41:56 kerberos ipmon[52]: 11:41:56.388316 ste3 @0:1 b 192.168.1.102,4761 ->
192.18.99.122,46753 PR tcp len 20 52 -A 1241247209 154970373 64240 OUT
Mar 6 11:42:01 kerberos ipmon[52]: 11:42:01.275462 ste3 @0:1 b 192.168.1.102,4735 ->
192.18.99.122,7629 PR tcp len 20 60 -A 1193579550 3992519893 64240 OUT
Mar 6 11:42:23 kerberos ipmon[52]: 11:42:22.770379 ste3 @0:1 b 192.168.1.102,4761 ->
192.18.99.122,46753 PR tcp len 20 52 -A 1241247209 154970373 64240 OUT
Mar 6 11:43:02 kerberos ipmon[52]: 11:43:01.547512 ste3 @0:1 b 192.168.1.102,4735 ->
192.18.99.122,7629 PR tcp len 20 60 -A 1193579550 3992519893 64240 OUT
Mar 6 11:43:02 kerberos ipmon[52]: 11:43:02.139443 ste3 @0:1 b 192.168.1.102,4768 ->
192.18.99.122,60949 PR tcp len 20 60 -A 1263603234 381043145 64240 OUT
Mar 6 11:43:03 kerberos ipmon[52]: 11:43:02.163654 32x ste3 @0:1 b 192.168.1.102,4768
-> 192.18.99.122,60949 PR tcp len 20 60 -A 1263603234 381043145 64240 OUT
Mar 6 11:43:04 kerberos ipmon[52]: 11:43:03.206401 5x ste3 @0:1 b 192.168.1.102,4768
-> 192.18.99.122,60949 PR tcp len 20 60 -A 1263603234 381058069 64240 OUT
Mar 6 11:43:05 kerberos ipmon[52]: 11:43:04.722287 ste3 @0:1 b 192.168.1.102,4768 ->
192.18.99.122,60949 PR tcp len 20 60 -A 1263603234 381099029 64240 OUT
Mar 6 11:43:11 kerberos ipmon[52]: 11:43:11.149177 ste3 @0:1 b 192.168.1.102,4768 ->
192.18.99.122,60949 PR tcp len 20 60 -A 1263603234 381099029 64240 OUT
Mar 6 11:43:16 kerberos ipmon[52]: 11:43:15.838562 ste3 @0:1 b 192.168.1.102,4761 ->
192.18.99.122,46753 PR tcp len 20 52 -A 1241247209 154970373 64240 OUT
Mar 6 11:43:24 kerberos ipmon[52]: 11:43:24.016855 ste3 @0:1 b 192.168.1.102,4768 ->
192.18.99.122,60949 PR tcp len 20 60 -A 1263603234 381099029 64240 OUT
Mar 6 11:43:50 kerberos ipmon[52]: 11:43:49.750468 ste3 @0:1 b 192.168.1.102,4768 ->
192.18.99.122,60949 PR tcp len 20 60 -A 1263603234 381099029 64240 OUT
Mar 6 11:44:01 kerberos ipmon[52]: 11:44:01.247957 ste3 @0:1 b 192.168.1.102,4735 ->
192.18.99.122,7629 PR tcp len 20 60 -A 1193579550 3992519893 64240 OUT
Mar 6 11:44:15 kerberos ipmon[52]: 11:44:15.538393 ste3 @0:1 b 192.168.1.102,4761 ->
192.18.99.122,46753 PR tcp len 20 52 -A 1241247209 154970373 64240 OUT
Mar 6 11:44:42 kerberos ipmon[52]: 11:44:41.506210 ste3 @0:1 b 192.168.1.102,4768 ->
192.18.99.122,60949 PR tcp len 20 60 -A 1263603234 381099029 64240 OUT
Mar 6 11:45:01 kerberos ipmon[52]: 11:45:01.234441 ste3 @0:1 b 192.168.1.102,4735 ->
192.18.99.122,7629 PR tcp len 20 60 -A 1193579550 3992519893 64240 OUT
Mar 6 11:45:16 kerberos ipmon[52]: 11:45:15.510814 ste3 @0:1 b 192.168.1.102,4761 ->
192.18.99.122,46753 PR tcp len 20 52 -A 1241247209 154970373 64240 OUT
Mar 6 11:45:41 kerberos ipmon[52]: 11:45:41.204891 ste3 @0:1 b 192.168.1.102,4768 ->
192.18.99.122,60949 PR tcp len 20 60 -A 1263603234 381099029 64240 OUT
Mar 6 11:46:01 kerberos ipmon[52]: 11:46:01.220218 ste3 @0:1 b 192.168.1.102,4735 ->
192.18.99.122,7629 PR tcp len 20 60 -A 1193579550 3992519893 64240 OUT
Mar 6 11:46:16 kerberos ipmon[52]: 11:46:15.496962 ste3 @0:1 b 192.168.1.102,4761 ->
192.18.99.122,46753 PR tcp len 20 52 -A 1241247209 154970373 64240 OUT
Mar 6 11:46:41 kerberos ipmon[52]: 11:46:41.240460 ste3 @0:1 b 192.168.1.102,4768 ->
192.18.99.122,60949 PR tcp len 20 60 -A 1263603234 381099029 64240 OUT
Mar 6 11:47:15 kerberos ipmon[52]: 11:47:15.483208 ste3 @0:1 b 192.168.1.102,4761 ->
192.18.99.122,46753 PR tcp len 20 52 -A 1241247209 154970373 64240 OUT
Mar 6 11:47:41 kerberos ipmon[52]: 11:47:41.177296 ste3 @0:1 b 192.168.1.102,4768 ->
192.18.99.122,60949 PR tcp len 20 60 -A 1263603234 381099029 64240 OUT
Mar 6 11:48:00 kerberos ipmon[52]: 11:47:59.670366 17x ste3 @0:1 b 192.168.1.102,4795
-> 192.18.99.122,36287 PR tcp len 20 60 -A 1338858884 1206233493 64240 OUT
Mar 6 11:48:00 kerberos ipmon[52]: 11:48:00.109931 ste3 @0:1 b 192.168.1.102,4795 ->
192.18.99.122,36287 PR tcp len 20 60 -A 1338858884 1206233493 64240 OUT
Mar 6 11:48:01 kerberos ipmon[52]: 11:48:00.133551 18x ste3 @0:1 b 192.168.1.102,4795
-> 192.18.99.122,36287 PR tcp len 20 60 -A 1338858884 1206233493 64240 OUT
Mar 6 11:48:16 kerberos ipmon[52]: 11:48:15.527258 ste3 @0:1 b 192.168.1.102,4761 ->
192.18.99.122,46753 PR tcp len 20 52 -A 1241247209 154970373 64240 OUT
Mar 6 11:48:16 kerberos ipmon[52]: 11:48:15.527258 ste3 @0:1 b 192.168.1.102,4761 ->
192.18.99.122,46753 PR tcp len 20 52 -A 1241247209 154970373 64240 OUT
Mar 6 11:48:18 kerberos ipmon[52]: 11:48:17.659638 ste3 @0:1 b 192.18.99.122,21 ->
xx.xx.95.164,4730 PR tcp len 20 40 -A 3942964881 1187908250 24820 IN
Mar 6 11:48:18 kerberos ipmon[52]: 11:48:17.660351 ste3 @0:1 b 192.18.99.122,21 ->
xx.xx.95.164,4730 PR tcp len 20 40 -AF 3942964918 1187908250 24820 IN
Mar 6 11:48:41 kerberos ipmon[52]: 11:48:41.225323 ste3 @0:1 b 192.168.1.102,4768 ->
192.18.99.122,60949 PR tcp len 20 60 -A 1263603234 381099029 64240 OUT
Mar 6 11:49:15 kerberos ipmon[52]: 11:49:15.751817 ste3 @0:1 b 192.168.1.102,4761 ->
192.18.99.122,46753 PR tcp len 20 52 -A 1241247209 154970373 64240 OUT
-------------------------------------------------------------------------------
David
