whats wrong with my ipf rules?

[Soybomb]

Freebsd 5.4 box, downloads via http hang, ftp downloads get connection reset, with no firewall rules everything is perfect.

pass out quick on fxp0 proto tcp from any to any keep state
pass out quick on fxp0 proto udp from any to any keep state
pass out quick on fxp0 proto icmp from any to any keep state

block in log quick on fxp0 from 192.168.0.0/16 to any #RFC 1918 private IP
block in log quick on fxp0 from 172.16.0.0/12 to any #RFC 1918 private IP
block in log quick on fxp0 from 10.0.0.0/8 to any #RFC 1918 private IP
block in log quick on fxp0 from 127.0.0.0/8 to any #loopback
block in log quick on fxp0 from 0.0.0.0/8 to any #loopback
block in log quick on fxp0 from 169.254.0.0/16 to any #DHCP auto-config
block in log quick on fxp0 from 192.0.2.0/24 to any #reserved for doc's
block in log quick on fxp0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on fxp0 from 224.0.0.0/3 to any #Class D & E multicast

block in quick all with short

pass in quick proto icmp from any to any icmp-type 0 keep state
pass in quick proto icmp from any to any icmp-type 3 keep state
pass in quick proto icmp from any to any icmp-type 8 keep state
pass in quick proto icmp from any to any icmp-type 11 keep state

pass in quick on fxp0 proto tcp from any to any port = 20 flags S keep state keep frags
pass in quick on fxp0 proto tcp from any to any port = 21 flags S keep state keep frags
pass in quick on fxp0 proto tcp from 123.456.789.1/24 to any port = 22 flags S keep state keep frags
pass in quick on fxp0 proto tcp from any to any port = 80 flags S keep state keep frags
pass in quick on fxp0 proto tcp/udp from 123.456.789.24/32 to any port = 161 keep state
pass in quick on fxp0 proto tcp from any to any port = 10000 flags S keep state keep frags
pass in quick on fxp0 proto tcp from any to any port 5000 >< 6000 flags S keep state keep frags

block return-rst in quick on fxp0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in quick on fxp0 proto udp from any to any
block in quick on fxp0 all

pass in quick on lo0 all
pass out quick on lo0 all

 

[n0cmonkey]

Have you tried tcpdumping the traffic to see what is going on?

Do you realize how hard it is to answer your title with something like: You're using ipf?

 

[Soybomb]

Hey now whats wrong with ipf

Heres the tcpdump of an ftp download with wget (well the tail end where it stops at least):
14:19:15.999495 IP gnudist.gnu.org.http > ipf4ever.com.60287: . 364253:365701(1448) ack 154 win 1448 <nop,nop,timestamp 1982306637 718339>
14:19:15.999585 IP ipf4ever.com.60287 > gnudist.gnu.org.http: . ack 409141 win 33304 <nop,nop,timestamp 718346 1982306546,nop,nop,sack sack 1 {412037:413485} >
14:19:16.001712 IP gnudist.gnu.org.http > ipf4ever.com.60287: . 410589:412037(1448) ack 154 win 1448 <nop,nop,timestamp 1982306636 718339>
14:19:16.001842 IP ipf4ever.com.60287 > gnudist.gnu.org.http: . ack 409141 win 33304 <nop,nop,timestamp 718346 1982306546,nop,nop,sack sack 1 {410589:413485} >
14:19:16.004653 IP gnudist.gnu.org.http > ipf4ever.com.60287: . 333845:335293(1448) ack 154 win 1448 <nop,nop,timestamp 1982306562 718331>
14:19:16.004753 IP ipf4ever.com.60287 > gnudist.gnu.org.http: R 1143068700:1143068700(0) win 0
14:19:16.006948 IP gnudist.gnu.org.http > ipf4ever.com.60287: . 413485:414933(1448) ack 154 win 1448 <nop,nop,timestamp 1982306645 718340>
14:19:16.012033 IP gnudist.gnu.org.http > ipf4ever.com.60287: . 414933:416381(1448) ack 154 win 1448 <nop,nop,timestamp 1982306651 718340>
14:19:16.018255 IP gnudist.gnu.org.http > ipf4ever.com.60287: . 383077:384525(1448) ack 154 win 1448 <nop,nop,timestamp 1982306662 718341>
14:19:16.019564 IP gnudist.gnu.org.http > ipf4ever.com.60287: . 351221:352669(1448) ack 154 win 1448 <nop,nop,timestamp 1982306616 718336>
14:19:16.022678 IP gnudist.gnu.org.http > ipf4ever.com.60287: P 417829:419277(1448) ack 154 win 1448 <nop,nop,timestamp 1982306661 718341>
14:19:16.028787 IP gnudist.gnu.org.http > ipf4ever.com.60287: . 409141:410589(1448) ack 154 win 1448 <nop,nop,timestamp 1982306624 718337>

ftp download from wget looks mostly the same, looks like everythings ok, my box quits ack'ing, then the ftp session restarts and the download resumes for a while:
14:22:38.452699 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 434401:435849(1448) ack 1 win 1448 <nop,nop,timestamp 1982509094 738581>
14:22:38.452823 IP ipf4ever.com.54686 > gnudist.gnu.org.25846: . ack 419921 win 33304 <nop,nop,timestamp 738591 1982509021,nop,nop,sack sack 3 {434401:437297}{438745:440193}{421369:428609} >
14:22:38.454012 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 419921:421369(1448) ack 1 win 1448 <nop,nop,timestamp 1982509034 738575>
14:22:38.454123 IP ipf4ever.com.54686 > gnudist.gnu.org.25846: . ack 428609 win 28960 <nop,nop,timestamp 738591 1982509034,nop,nop,sack sack 3 {434401:437297}{438745:440193}{430057:431505} >
14:22:38.454229 IP ipf4ever.com.54686 > gnudist.gnu.org.25846: . ack 428609 win 33056 <nop,nop,timestamp 738591 1982509034,nop,nop,sack sack 3 {434401:437297}{438745:440193}{430057:431505} >
14:22:38.455343 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 369241:370689(1448) ack 1 win 1448 <nop,nop,timestamp 1982509053 738577>
14:22:38.455435 IP ipf4ever.com.54686 > gnudist.gnu.org.25846: R 2965824977:2965824977(0) win 0
14:22:38.456595 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 398201:399649(1448) ack 1 win 1448 <nop,nop,timestamp 1982509127 738585>
14:22:38.462400 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 382273:383721(1448) ack 1 win 1448 <nop,nop,timestamp 1982509095 738582>
14:22:38.468589 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 437297:438745(1448) ack 1 win 1448 <nop,nop,timestamp 1982509109 738583>
14:22:38.469879 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 360553:362001(1448) ack 1 win 1448 <nop,nop,timestamp 1982509043 738576>
14:22:38.469951 IP ipf4ever.com.54686 > gnudist.gnu.org.25846: R 2965824977:2965824977(0) win 0
14:22:38.471418 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 440193:441641(1448) ack 1 win 1448 <nop,nop,timestamp 1982509123 738584>
14:22:38.475471 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 444537:445985(1448) ack 1 win 1448 <nop,nop,timestamp 1982509151 738587>
14:22:38.476942 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 443089:444537(1448) ack 1 win 1448 <nop,nop,timestamp 1982509142 738586>
14:22:38.478253 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 428609:430057(1448) ack 1 win 1448 <nop,nop,timestamp 1982509063 738578>
14:22:38.486290 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 431505:432953(1448) ack 1 win 1448 <nop,nop,timestamp 1982509081 738580>
14:22:38.492186 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 447433:448881(1448) ack 1 win 1448 <nop,nop,timestamp 1982509168 738589>
14:22:38.494186 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 432953:434401(1448) ack 1 win 1448 <nop,nop,timestamp 1982509085 738580>
14:22:38.502886 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 405441:406889(1448) ack 1 win 1448 <nop,nop,timestamp 1982509162 738588>
14:22:38.504107 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 445985:447433(1448) ack 1 win 1448 <nop,nop,timestamp 1982509160 738588>
14:22:38.505493 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 448881:450329(1448) ack 1 win 1448 <nop,nop,timestamp 1982509176 738590>
14:22:38.511883 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 441641:443089(1448) ack 1 win 1448 <nop,nop,timestamp 1982509129 738585>
14:22:38.515239 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 411233:412681(1448) ack 1 win 1448 <nop,nop,timestamp 1982509169 738589>
14:22:38.517903 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: P 450329:451777(1448) ack 1 win 1448 <nop,nop,timestamp 1982509186 738590>
14:22:38.519161 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 402545:403993(1448) ack 1 win 1448 <nop,nop,timestamp 1982509151 738587>
14:22:38.524462 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: R 897011164:897011164(0) win 0
14:22:38.525694 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 451777:453225(1448) ack 1 win 1448 <nop,nop,timestamp 1982509186 738590>
14:22:38.525767 IP ipf4ever.com.54686 > gnudist.gnu.org.25846: R 2965824977:2965824977(0) win 0
14:22:38.529405 IP gnudist.gnu.org.ftp > ipf4ever.com.49326: P 921:958(37) ack 88 win 1448 <nop,nop,timestamp 1982509195 738458>
14:22:38.533842 IP gnudist.gnu.org.25846 > ipf4ever.com.54686: . 417025:418473(1448) ack 1 win 1448 <nop,nop,timestamp 1982509178 738590>
14:22:38.533937 IP ipf4ever.com.54686 > gnudist.gnu.org.25846: R 2965824977:2965824977(0) win 0

 

[n0cmonkey]

14:19:16.004753 IP ipf4ever.com.60287 > gnudist.gnu.org.http: R 1143068700:1143068700(0) win 0

Your machine is resetting the connection...

Has this firewall been in place for a while? Any recent rule changes? Have you tried disabling rules to help track is down?

Maybe disable this one to start with:

block return-rst in quick on fxp0 proto tcp from any to any

IPF sucks.

 

[Soybomb]

Nah the firewall has been in place for a long time without any rule changes so I would have thought I would have seen this behavior when I was first installinig packages. Indeed though thats the line that seems to be doing it, I would have expected the 1st line with quick keep state for outbound tcp to allow the traffic back in...and it seems to for a while.....

So ipfw is nice?