Hello.
I use ipfilter to do NAT and stateful ip filtering and i really like it.
I use dummynet to limit bandwidth and i really like it too.
The problem is they don't work together in specific situation.
my ipf.rules (in simplification):
block in log all
block out log all
pass out quick on ppp0 proto tcp all flags S keep state keep frags
pass out quick on ppp0 proto udp all keep state keep frags
pass out quick on ppp0 proto icmp all keep state keep frags
ipfw configuration (excluding counters):
ipfw add pipe 1 tcp from any 1025-2400 to any out
ipfw pipe 1 config bw 4Kbytes/s
ipfw add pipe 2 tcp from any 20 to any out
ipfw pipe 2 config bw 3Kbytes/s
ipfw allow all from any to any
So i noticed that ipfilter isn't keeping state correctly on outcoming
tcp connections when above ipfw rules are in charge.
For example ipfstat -t shows connections that are never fully established,
they stop at 4/3. There is no data exchange. I observed that:
gateway.36023 -> mailhost.25 S
mailhost.25 -> gateway.36023 SA
mailhost.25 -> gateway.36023 SA
and connection is not established.. in ipflog we can see:
ppp0: @0:7 b 217.96.180.81,36023 -> 213.180.130.33,25 PR tcp len 20 52 -AF OUT
Packet was blocked. But it shouldn't be.. I can successfuly connect to
this mailhost if before "ipfw add pipe ..." rules I had put
ipfw add allow ip from any to any.
Summarizing: When I try to limit bandwidth i can't use tcp with keep state.
Precisely: I can't use tcp from hosts behind gateway (NAT), I can establish
tcp connections from gateway.
I don't think that exhausting state table is the case here. Even when I had
done ipf -FSs tcp didn't work.
Perhaps I'm missing something obvious (too much time i spent on this problem),
I will be very grateful for every idea, explanation, hint or solution.
best regards, B.
ps. I'm attaching revelant tcpdump, ipfstat -s and ipnat -s output.
# ipfstat -s
IP states added:
10111 TCP
3335 UDP
5330 ICMP
1017243 hits
654090 misses
0 maximum
0 no memory
526 bkts in use
545 active
8665 expired
9566 closed
# ipnat -s
mapped in 140179 out 138894
added 11916 expired 11343
no memory 0 bad nat 0
inuse 573
rules 15
wilds 0
20:54:54.835061 217.96.180.81.37836 > 213.180.130.33.25: S 1001007946:1001007946(0)
win 16060 <mss 1460,sackOK,timestamp 4975732 0,nop,wscale 0> (DF) [tos 0x10]
20:54:54.877479 213.180.130.33.25 > 217.96.180.81.37836: S 3076683582:3076683582(0)
ack 1001007947 win 10136 <nop,nop,timestamp 1129079898 4975732,nop,wscale
0,nop,nop,sackOK,mss 1460> (DF)
20:54:58.243475 213.180.130.33.25 > 217.96.180.81.37836: S 3076683582:3076683582(0)
ack 1001007947 win 10136 <nop,nop,timestamp 1129080235 4975732,nop,wscale
0,nop,nop,sackOK,mss 1460> (DF)
20:55:04.964428 213.180.130.33.25 > 217.96.180.81.37836: S 3076683582:3076683582(0)
ack 1001007947 win 10136 <nop,nop,timestamp 1129080910 4975732,nop,wscale
0,nop,nop,sackOK,mss 1460> (DF)
