Custom Firewall Rule and Slowness Observed , Why??



  • Ping Test with selective Firewall Rules. See Attachement.

    -Latitude-3330 ~ $ ping 37.59.118.37
    PING 37.59.118.37 (37.59.118.37) 56(84) bytes of data.
    64 bytes from 37.59.118.37: icmp_seq=5 ttl=49 time=624 ms
    64 bytes from 37.59.118.37: icmp_seq=11 ttl=49 time=783 ms
    64 bytes from 37.59.118.37: icmp_seq=27 ttl=49 time=793 ms
    64 bytes from 37.59.118.37: icmp_seq=31 ttl=49 time=501 ms
    64 bytes from 37.59.118.37: icmp_seq=49 ttl=49 time=386 ms
    ^C
    –- 37.59.118.37 ping statistics ---
    57 packets transmitted, 5 received, 91% packet loss, time 56406ms
    rtt min/avg/max/mdev = 286.942/437.864/793.624/191.248 ms

    Ping Test with Any to Any Rule on Firewall:

    -Latitude-3330 ~ $ ping 37.59.118.37
    PING 37.59.118.37 (37.59.118.37) 56(84) bytes of data.
    64 bytes from 37.59.118.37: icmp_seq=1 ttl=49 time=281 ms
    64 bytes from 37.59.118.37: icmp_seq=2 ttl=49 time=279 ms
    64 bytes from 37.59.118.37: icmp_seq=3 ttl=49 time=275 ms
    64 bytes from 37.59.118.37: icmp_seq=4 ttl=49 time=278 ms

    Why is there slowness in my rule whiile that of the Any-to-any rule shows no slowness ( web surfing is very good)? How can I go about optimizing this?




  • Your rules are borked.  You don't need ANY of them with the exception of the Anti-Lockout rule at the top, and the Default Allow LAN to Any rule at the bottom.  Everything else you have added is unnecessary and likely confusing you.  While it may have no impact on your actual problem, you should get your rules straight before you start troubleshooting.



  • 91% loss and high enough pings to go around the Earth a few times? Are you sure you don't have some circular route or something? Try doing a trace route.



  • Hi I reverted back to my old rules and I observed that when I use the middle WAN Rule ( shown in the printscreen) I get no packet loss and also get good ms. However when I deactivate it although I am still getting connection I observe those packet loss. Also I didn't quite understand the "invert match" option beside the src and dst address. I did a trial and error where I deactivated it and had connectivity issues while when it was activated it worked like a charm.

    Can you please give me some advice and more information on the inverse match? Thanks.




  • @KOM:

    Your rules are borked.  You don't need ANY of them with the exception of the Anti-Lockout rule at the top, and the Default Allow LAN to Any rule at the bottom.  Everything else you have added is unnecessary and likely confusing you.  While it may have no impact on your actual problem, you should get your rules straight before you start troubleshooting.

    If I keep the default rule of Allow LAN to Any Rule, isn't that some sort of security hole? I thought that I would disactivate that rule then have my own rules do what I want them to do.



  • If I keep the default rule of Allow LAN to Any Rule, isn't that some sort of security hole?

    Not so much.  If you lock down LAN to that degree, you will face an endless series of user issues trying to run software that uses the Internet.  You can certainly do that if you want to, but it's not recommended and that's why it's the default.  If you're running an Internet Cafe then it might be more important to lock down LAN, but if this is for home or your company network then it's not as important.  The real question is, do you trust your users or not?



  • @CallFromUSA:

    Hi I reverted back to my old rules and I observed that when I use the middle WAN Rule ( shown in the printscreen) I get no packet loss and also get good ms.

    The WAN rules have absolutely no impact on traffic from your LAN. Your connection looks awful indeed, but there is something introducing variability that has nothing to do with what firewall rules you're messing with.



  • @cmb:

    @CallFromUSA:

    Hi I reverted back to my old rules and I observed that when I use the middle WAN Rule ( shown in the printscreen) I get no packet loss and also get good ms.

    The WAN rules have absolutely no impact on traffic from your LAN. Your connection looks awful indeed, but there is something introducing variability that has nothing to do with what firewall rules you're messing with.

    Oh Hey thanks guys I think I see the advantages of the any LAN rule, do you have any advice on how to make better rules I am still new to security.

    Sorry for these newbie questions I am still new to security.