can ping, can't download through firewall
hi, i'm a reasonably experienced linux/bsd user - i've installed a few boxes in my time and usually with a good level of success. but this time i'm stumped. i'm trying to set up a freebsd gateway to share my cable modem connection. from the gateway itself i can ping the world, from the attached clients i can ping the world, i can even do dns lookups. doing: curl --head http://www.website.com gives me a good-looking header and everything, but if i do lynx http://www.website.com no joy. i get: HTTP request sent; waiting for response. and it stops there. this is true from both the clients and the gateway itself. i just can't download anything for all the pings in the world. my current set up is -- kernel config: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 -- /etc/rc.conf gateway_enable=YES firewall_enable=YES firewall_type=OPEN natd_enable=YES natd_interface= rl0 natd_flags= which are both straight out of the handbook. -- ipfw -a list 00050 1844 130026 divert 8668 ip from any to any via rl0 00100 96 11166 allow ip from any to any via lo0 002000 0 deny ip from any to 127.0.0.0/8 003000 0 deny ip from 127.0.0.0/8 to any 65000 2481 200907 allow ip from any to any 655350 0 allow ip from any to any ethernet cards - a pair of 8139's - rl0 external, rl1 internal. as far as i can tell they work fine. i've tried the same thing using ipfilter and ipnat instead of natd and ipfw - with the same results. i've noticed that if i turn on the firewall my pings to the isp's router are much much less reliable, sometimes losing 30%+ of the packets but generally degraded compared to the setup with no firewall enabled. the firewall stats show that everything is passing ok. i really don't know what's going on. unfortunately my web searches have turned up nothing similar. does anyone have any ideas/comments/suggestions/experience of the same? is it the network cards? pings from the client machine when connected directly work perfectly but from the gateway are at best a little dodgy - losing 15% of the packets. any help greatly appreciated. Garry ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
can ping, can't download through firewall
hi, i'm a reasonably experienced linux/bsd user - i've installed a few boxes in my time and usually with a good level of success. but this time i'm stumped/jiggered. i'm trying to set up a freebsd gateway to share my cable modem connection. from the gateway itself i can ping the world, from the attached clients i can ping the world, i can even do dns lookups. doing: curl --head http://www.website.com gives me a good-looking header and everything, but if i do lynx http://www.website.com no joy. i get: HTTP request sent; waiting for response. and it stops there. this is true from both the clients and the gateway itself. i just can't download anything for all the pings in the world. my current set up is -- kernel config: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 -- /etc/rc.conf gateway_enable=YES firewall_enable=YES firewall_type=OPEN natd_enable=YES natd_interface= rl0 natd_flags= which are both straight out of the handbook. -- ipfw -a list 00050 1844 130026 divert 8668 ip from any to any via rl0 00100 96 11166 allow ip from any to any via lo0 002000 0 deny ip from any to 127.0.0.0/8 003000 0 deny ip from 127.0.0.0/8 to any 65000 2481 200907 allow ip from any to any 655350 0 allow ip from any to any i've tried the same thing using ipfilter and ipnat instead of natd and ipfw - with the same results. ethernet cards - a pair of 8139's - rl0 external, rl1 internal. as far as i can tell they work fine. on the internal network the pings are 100% - i can ftp ssh the works without problem. i've noticed that if i turn on the firewall my pings to the isp's router are much much less reliable, sometimes losing 30%+ of the packets but generally degraded compared to the setup with no firewall enabled. the firewall stats show that everything is passing ok. i really don't know what's going on. unfortunately my web searches have turned up nothing similar. does anyone have any ideas/comments/suggestions/experience of the same? is it the network cards? pings from the client machine when connected directly work perfectly but from the gateway are at best a little dodgy - losing 15% of the packets. is there some incompatibility between the network card and the router? oh, and install is FreeBSD 4.9-RELEASE any help greatly appreciated. it's doin my head in. Garry ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: can ping, can't download through firewall
thanks for the advice. natd_interface= rl0fix this statement there should not be space between first quote and rl0 rl0 rl0 the space comes from me copying and pasting from a website, not from my config files. that space was never in my config files. What happens if you boot using the original generic kernel with no firewall enable statements in rc.conf? IE: kernel without IPFW or IPFILTER compiled in. Do you have total access to public internet with generic kernel and no firewall it's the same situation. pingo-rama but no downloads. the response isn't even consistent. doing a fetch -v http://207.126.111.202/index.html; (which is rheet.mozilla.or) sometimes (more often than not) it gets to the requesting http://...; but no more but then sometimes it gets as far as receiving... but never gets more than 1024 bytes. but, the good news is, i figured it out. it was the bloody cable after all that. the ifconfig was showing up as 100baseTX but not 100baseTX full-duplex but what really pointed it out was the lack of a link status light when i tried a different ethernet card. so somewhere in that cable something is broken, i just don't know where. changing the plastic bits hasn't helped. the strangest thing is that it works (is working right now) without a hitch here on my mac - must be that the mac drivers/nic are more robust/less fussy than the i386/8139/freebsd counterparts. i don't know enough about full- or half- duplex to make more sense out of it. so, after two days of racking my brains and beating my head against various bits of brick and styrofoam padding we're back on track. thanks again, g What happens if you boot using the original generic kernel with no firewall enable statements in rc.conf? IE: kernel without IPFW or IPFILTER compiled in. Do you have total access to public internet from your gateway box? [ie will lynx http://www.website.com work] If so then, add the rc.conf statements enable statements for the firewall of your chose and the firewall loadable module will be dynamically loaded at boot time. See if this makes any difference. If not then problem is not in the creation of new kernel, but in the firewall rules you are using. natd_interface= rl0fix this statement there should not be space between first quote and rl0 rl0 rl0 Change this rule allow ip from any to any to allow log ip from any to any And only test one outbound service like lynx http://www.website.com and them check your log to see what happened. BE careful this will generate a lot of log msgs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Garry Hill Sent: Thursday, December 04, 2003 10:53 AM To: FreeBSD Subject: can ping, can't download through firewall hi, i'm a reasonably experienced linux/bsd user - i've installed a few boxes in my time and usually with a good level of success. but this time i'm stumped/jiggered. i'm trying to set up a freebsd gateway to share my cable modem connection. from the gateway itself i can ping the world, from the attached clients i can ping the world, i can even do dns lookups. doing: curl --head http://www.website.com gives me a good-looking header and everything, but if i do lynx http://www.website.com no joy. i get: HTTP request sent; waiting for response. and it stops there. this is true from both the clients and the gateway itself. i just can't download anything for all the pings in the world. my current set up is -- kernel config: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 -- /etc/rc.conf gateway_enable=YES firewall_enable=YES firewall_type=OPEN natd_enable=YES natd_interface= rl0 natd_flags= which are both straight out of the handbook. -- ipfw -a list 00050 1844 130026 divert 8668 ip from any to any via rl0 00100 96 11166 allow ip from any to any via lo0 002000 0 deny ip from any to 127.0.0.0/8 003000 0 deny ip from 127.0.0.0/8 to any 65000 2481 200907 allow ip from any to any 655350 0 allow ip from any to any i've tried the same thing using ipfilter and ipnat instead of natd and ipfw - with the same results. ethernet cards - a pair of 8139's - rl0 external, rl1 internal. as far as i can tell they work fine. on the internal network the pings are 100% - i can ftp ssh the works without problem. i've noticed that if i turn on the firewall my pings to the isp's router are much much less reliable, sometimes losing 30%+ of the packets but generally degraded compared to the setup with no firewall enabled. the firewall stats show that everything is passing ok. i really don't know what's going on. unfortunately my web searches have turned up nothing similar. does anyone have any ideas/comments/suggestions/experience of the same? is it the network cards? pings from the client machine when connected directly work perfectly but from the gateway are at best
