[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPF and NAT slowdowns?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: IPF and NAT slowdowns?
From: Vince Gonzalez <vince_(_at_)_moe_(_dot_)_nycrc_(_dot_)_net>
Date: Wed, 24 Mar 1999 16:44:57 -0500

I've got an OpenBSD router acting as a firewall for our internal networks 
running NAT and IPFilter.

It's got two subnets hanging off it, and one interface going out to our
exterior router.  Some of my users have noticed that on occasion lookups on 
internal hosts will take an unusually long time, and connections to services
on other networks within the organization sometimes take a while to come up.
Once connected though, everything moves along nicely.

Now, when I say 'a while', I mean about 25-40 seconds before I see a response.
So far, I've been unable reproduce the behavior reliably, but it does seem that 
after a few connections have been established things move along pretty well.

So, my question is, has anyone else noticed anything like this?  I've included
my ipf and ipnat rules files for your consideration.  Is there something I've 
overlooked?

--ipf.rules

pass out from any to any
pass in from any to any

block in log quick on fxp0 proto icmp from any to any icmp-type redir
block in log quick on fxp0 proto tcp/udp all with short
block in log quick on fxp0 from any to any with ipopts

# block spoofing attempts
block in log quick on fxp0 from 10.0.0.0/8 to any
block in log quick on fxp0 from localhost to any
block in log quick on fxp0 from 0.0.0.0/32 to any
block in log quick on fxp0 from 255.255.255.255/32 to any

block in log quick on fxp0 proto udp from any to any port = sunrpc
block in log quick on fxp0 proto udp from any to any port = 2049

block return-rst in log on fxp0 proto tcp from any to any flags S/SA
block return-rst in on fxp0 proto tcp from any to any port = auth flags S/SA

pass in quick on fxp0 proto tcp from any to any port = netbios-ssn
pass in quick on fxp0 proto tcp from any to any port = netbios-ns
pass in quick on fxp0 proto tcp from any to any port = domain
pass in quick on fxp0 proto udp from any to any port = domain

--ipnat.rules

map fxp0 10.3.0.0/16 -> 209.73.202.6/32 
map fxp0 10.1.0.0/16 -> 209.73.202.6/32 

--vince

Prev by Date: Re: Install & EtherExpress
Next by Date: Re: still cdrom problems
Previous by thread: Re: Install & EtherExpress
Next by thread: Re: IPF and NAT slowdowns?
Index(es):
- Date
- Thread

Visit your host, monkey.org