Disappearing IP Masquerading expire times in 2.0.30. Bug or misconfigured?

Stephen M. Benoit (benoits@servicepro.com)
Fri, 10 Oct 1997 19:14:23 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Richard Gooch: "[PROPOSAL] Coping with random bit errors"
Previous message: David S. Miller: "Re: unhash_pid and zombies ?"

Hello, everyone. I'm stumped.

I have been using IP Masquerading for about a year now, and I have never
had problems with it until this week: I accidentally lost my working kernel
.config :( and I have since rebuilt it.

But now, masqueraded TCP connections disappear from the list way before their
expiry times, disrupting HTTP and other sessions behind the firewall.

Yes, I have tried the FAQs and HOWTOs, and rebooted several times ;) I
found the problem did not go away when I tested kernel 2.0.31-pre10

My private net is 192.168.1.* , the firewall machine is 192.168.1.1,
connected via PPP to my Internet service provider.

Here is an example, 192.168.1.2 connects to www.cnn.com:

% ipfwadm -M -l -n
IP masquerading entries
prot expire source destination ports
tcp 14:58.35 192.168.1.2 207.25.71.24 2796 (61051) -> 80

... so far, so good.
But > 50% of the time, within seconds (before the data is transferred),
it disappears from the masquerading list:

% ipfwadm -M -l -n
IP masquerading entries
prot expire source destination ports

... and in the meantime, netscape or lynx are still waiting on their open
sockets.

My firewall machine is a Pentium Pro 200 MHz with 32 MB RAM. I use
ipfwadm version 2.3.0. The relevant kernel config section is:

#
# Networking options
#
CONFIG_FIREWALL=y
# CONFIG_NET_ALIAS is not set
CONFIG_INET=y
CONFIG_IP_FORWARD=y
# CONFIG_IP_MULTICAST is not set
# CONFIG_SYN_COOKIES is not set
# CONFIG_RST_COOKIES is not set
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_VERBOSE=y
CONFIG_IP_MASQUERADE=y

#
# Protocol-specific masquerading support will be built as modules.
#
# CONFIG_IP_MASQUERADE_IPAUTOFW is not set
# CONFIG_IP_MASQUERADE_ICMP is not set
CONFIG_IP_TRANSPARENT_PROXY=y
CONFIG_IP_ALWAYS_DEFRAG=y
CONFIG_IP_ACCT=y
# CONFIG_IP_ROUTER is not set
CONFIG_NET_IPIP=m

My firewall rules are:
IP firewall forward rules, default policy: deny
type prot source destination ports
acc all 192.168.1.0/24 192.168.2.0/24 n/a
acc all 192.168.2.0/24 192.168.1.0/24 n/a
acc/m all 192.168.1.0/24 0.0.0.0/0 n/a
acc all 192.168.2.0/24 0.0.0.0/0 n/a
deny all 0.0.0.0/0 0.0.0.0/0 n/a

... 192.168.2.* is a subnet that gets occasionally gets connected via a
tunnel (ssh and PPP)

Any suggestions would be appreciated. I know that this worked for my
network in the past. I'd be delighted if it is just some bonehead option
I forgot to configure!

_____________________________ Stephen M. Benoit _______________________________
~ ~ | benoits@servicepro.com | B.Eng (Computer), M.Eng (Electrical)
('>') | Tel: +(514) 255-3550 | Service Providers of America INC
_ | FAX: +(514) 256-1356 | Web page: http://www.servicepro.com/
_______|________________________|______________________________________________

Next message: Richard Gooch: "[PROPOSAL] Coping with random bit errors"
Previous message: David S. Miller: "Re: unhash_pid and zombies ?"