1.2-RELEASE too SLOW to use…. I have a clue....
-
Hi folks
I do have a 1.2-RELEASE on a Soekris NET-4801, which was working fine while using over LAN, but now I'm using it over WAN and it is too slow to use, it takes ages to load pages.
If needed, I can submit a obfuscated config file…
Getting slowly insane I issued a "pfctl -F rules", which essentially clears all firewall rules, but keeps the NAT, so I can access the box from remote, and suddently pfsense get's responsive! I can now even SSH from remote to my pfsense box.
I haven't enabled Traffic Shaper, I marked that Checksum Offloading is disabled, even though it seemed to work fine.... Meanwhile the box is as much reduced in terms of configuration to find the bug, that I can say that the only special things are that it is managed over ssl and has a nat rule vom external to the internal port 443 (for Management) and some more legacy rules. As a side-note if does have a Hifn 7955 Encryption module.
I have to dig deeper into it, to see which rules, or if any rule at all causes the trouble, but as always - so little time. In case someone has also the trouble, and I saw numerous posts about it, I leave this as a hint.... and will complete it once I figured it or hope for someone to figure it first.
regards
Philipp -
Is this what you are seeing?
SEARCH: WAN interface slow
-
I saw this entry… but it's a mess....
I don't use any beta software or pre-relase, it's the RELEASE version I use.
I dont run any PPPoE or stuff that can cause mss issues
My problem goes away when I flush the rules, so Checksum offloading can't be the cause, even though I disabled it for testing.
Not only is web-access for the GUI slow, ANY traffic going though the box is dead SLOW, be it a webserver behing, or SSH Access to the pfsense box.So we talking here acout a Soekris NET4801, without any fancy intel NICs, plain simple ethernet wiring and a RELEASE version...
regards
Philipp -
Things to check:
Status -> System
Check the CPU and RAM load.
What is the 'State table size'?Status -> Interfaces
Is there any In/out errors?System -> Advanced
'Enable Secure Shell' make sure the box is checked.
Then SSH into the the pfSense firewall, I typically use putty for this. Press 8 and then run the following command: top
Report back the top processes. -
CPU Load: 5-6%
RAM Load: 40%
State Table: 32/10000
No Interface Errorslast pid: 98670; load averages: 0.09, 0.10, 0.09 up 19+10:15:26 17:58:30
39 processes: 1 running, 35 sleeping, 3 zombie
CPU states: 0.4% user, 0.0% nice, 2.3% system, 1.2% interrupt, 96.1% idle
Mem: 30M Active, 9192K Inact, 19M Wired, 12K Cache, 13M Buf, 59M Free
Swap: 1024M Total, 1024M FreePID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
461 root 1 4 0 23172K 20232K accept 0:07 0.24% php
305 root 7 20 0 2196K 1160K kserel 102:37 0.00% slbd
670 root 1 -8 20 2328K 1688K piperd 58:00 0.00% sh
715 root 1 8 -88 1408K 836K nanslp 6:38 0.00% watchdogd
453 root 1 4 0 3444K 2880K kqread 3:41 0.00% lighttpd
293 root 1 -58 0 3916K 2248K bpf 2:26 0.00% tcpdump
613 root 1 96 0 5848K 5504K select 1:16 0.00% bsnmpd
187 root 1 96 0 1388K 1012K select 0:41 0.00% syslogd
798 root 1 8 0 1384K 992K nanslp 0:39 0.00% cron
403 proxy 1 4 0 704K 452K kqread 0:36 0.00% pftpx
792 root 1 96 0 1372K 1004K select 0:20 0.00% ntpd
809 root 1 8 0 1268K 708K nanslp 0:10 0.00% minicron
294 root 1 -8 0 1276K 704K piperd 0:07 0.00% logger
509 root 1 96 0 1280K 692K select 0:06 0.00% choparp
91457 root 1 8 20 1272K 716K nanslp 0:04 0.00% check_reload_status
740 _ntp 1 96 0 1340K 1012K select 0:01 0.00% ntpd
98622 root 1 96 0 5756K 2808K select 0:01 0.00% sshd
98645 root 1 96 0 2356K 1516K RUN 0:00 0.00% top
98640 root 1 20 0 3908K 2600K pause 0:00 0.00% tcsh
454 root 1 8 0 14924K 5016K wait 0:00 0.00% php
458 root 1 8 0 14924K 5016K wait 0:00 0.00% php
98355 proxy 1 -58 20 852K 640K bpf 0:00 0.00% ftpsesame
98625 root 1 8 0 1728K 1092K wait 0:00 0.00% sh
42760 root 1 20 20 2260K 1320K pause 0:00 0.00% top
42759 root 1 8 20 2328K 1688K wait 0:00 0.00% sh
261 root 1 96 0 3064K 2380K select 0:00 0.00% sshd
42761 root 1 -8 20 1564K 1028K piperd 0:00 0.00% awk
91445 root 1 -8 0 1392K 1056K piperd 0:00 0.00% cron
104 root 1 96 0 504K 360K select 0:00 0.00% devd
460 root 1 4 0 14924K 5088K accept 0:00 0.00% php -
Output of pfctl -vv -s all:
TRANSLATION RULES:
@0 nat-anchor "pftpx/" all
[ Evaluations: 35 Packets: 0 Bytes: 0 States: 0 ]
@1 nat-anchor "natearly/" all
[ Evaluations: 35 Packets: 0 Bytes: 0 States: 0 ]
@2 nat-anchor "natrules/" all
[ Evaluations: 35 Packets: 0 Bytes: 0 States: 0 ]
@3 nat on sis2 inet from 172.17.17.0/24 to any -> (sis2) round-robin
[ Evaluations: 35 Packets: 0 Bytes: 0 States: 0 ]
@4 nat on sis0 inet from any to 172.17.17.0/24 -> (sis0) round-robin
[ Evaluations: 35 Packets: 223 Bytes: 11221 States: 29 ]
@0 rdr-anchor "pftpx/" all
[ Evaluations: 32 Packets: 0 Bytes: 0 States: 0 ]
@1 rdr-anchor "slb" all
[ Evaluations: 32 Packets: 0 Bytes: 0 States: 0 ]
@2 no rdr on sis0 proto tcp from any to vpns:0port = ftp
[ Evaluations: 32 Packets: 0 Bytes: 0 States: 0 ]
@3 rdr on sis0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@4 rdr on sis2 inet proto tcp from any to 212.25.4.30 port = https -> 172.17.17.250
[ Evaluations: 32 Packets: 20 Bytes: 2744 States: 1 ]
@5 rdr-anchor "imspector" all
[ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ]
@6 rdr-anchor "miniupnpd" all
[ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ]FILTER RULES:
@0 anchor "ftpsesame/" all
[ Evaluations: 37 Packets: 0 Bytes: 0 States: 0 ]
@1 anchor "firewallrules" all
[ Evaluations: 37 Packets: 0 Bytes: 0 States: 0 ]
@2 block drop quick proto tcp from any port = 0 to any
[ Evaluations: 37 Packets: 0 Bytes: 0 States: 0 ]
@3 block drop quick proto tcp from any to any port = 0
[ Evaluations: 36 Packets: 0 Bytes: 0 States: 0 ]
@4 block drop quick proto udp from any port = 0 to any
[ Evaluations: 37 Packets: 0 Bytes: 0 States: 0 ]
@5 block drop quick proto udp from any to any port = 0
[ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ]
@6 block drop quick from snort2c:0to any label "Block snort2c hosts"
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@7 block drop quick from any to snort2c:0label "Block snort2c hosts"
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@8 anchor "loopback" all
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@9 pass in quick on lo0 all label "pass loopback"
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@10 pass out quick on lo0 all label "pass loopback"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@11 anchor "packageearly" all
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@12 anchor "carp" all
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@13 pass quick inet proto icmp from 212.25.4.30 to any keep state
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@14 anchor "dhcpserverlan" all
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@15 pass in quick on sis0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps label "allow access to DHCP server on LAN"
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@16 pass in quick on sis0 inet proto udp from any port = bootpc to 172.17.17.250 port = bootps label "allow access to DHCP server on LAN"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@17 pass out quick on sis0 inet proto udp from 172.17.17.250 port = bootps to any port = bootpc label "allow access to DHCP server on LAN"
[ Evaluations: 17 Packets: 0 Bytes: 0 States: 0 ]
@18 block drop in log quick on sis2 inet proto udp from any port = bootps to 172.17.17.0/24 port = bootpc label "block dhcp client out wan"
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@19 pass in quick on sis2 proto udp from any port = bootps to any port = bootpc label "allow dhcp client out wan"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@20 block drop in on ! sis0 inet from 172.17.17.0/24 to any
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@21 block drop in inet from 172.17.17.250 to any
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@22 block drop in on ! sis1 inet from 192.168.144.0/24 to any
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@23 block drop in inet from 192.168.144.44 to any
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@24 block drop in on sis0 inet6 from fe80::200:24ff:fec4:2ba8 to any
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@25 block drop in on sis1 inet6 from fe80::200:24ff:fec4:2ba9 to any
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@26 anchor "spoofing" all
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@27 anchor "limitingesr" all
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@28 block drop in quick from virusprot:0to any label "virusprot overload table"
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@29 pass out quick on sis0 proto icmp all keep state label "let out anything from firewall host itself"
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@30 pass out quick on sis2 proto icmp all keep state label "let out anything from firewall host itself"
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@31 pass out quick on sis2 all keep state label "let out anything from firewall host itself"
[ Evaluations: 17 Packets: 0 Bytes: 0 States: 0 ]
@32 anchor "firewallout" all
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@33 pass out quick on sis2 all keep state label "let out anything from firewall host itself"
[ Evaluations: 38 Packets: 0 Bytes: 0 States: 0 ]
@34 pass out quick on sis0 all keep state label "let out anything from firewall host itself"
[ Evaluations: 17 Packets: 112 Bytes: 5641 States: 29 ]
@35 pass out quick on sis1 all keep state label "let out anything from firewall host itself"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@36 pass out quick on enc0 all keep state label "IPSEC internal host to host"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@37 pass out quick on sis1 proto icmp all keep state label "let out anything from firewall host itself"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@38 pass out quick on sis1 all keep state label "let out anything from firewall host itself"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@39 anchor "anti-lockout" all
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@40 pass in quick on sis0 inet from any to 172.17.17.250 keep state label "anti-lockout web rule"
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@41 block drop in log proto tcp from sshlockout:0to any port = ssh label "sshlockout"
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@42 anchor "ftpproxy" all
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@43 anchor "pftpx/" all
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@44 pass quick proto carp all
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@45 pass quick proto pfsync all
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@46 pass in log quick on sis2 from immunity:1to any keep state label "USER_RULE"
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@47 pass in quick on sis2 inet proto icmp from any to 212.25.4.24/29 icmp-type echoreq keep state label "USER_RULE: ICMP IPv4"
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
@48 pass in quick on sis2 inet proto icmp from any to 212.25.4.30 icmp-type routeradv keep state label "USER_RULE: IPv6 ICMP Router ADV"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@49 pass in log quick on sis2 inet proto tcp from any to 172.17.17.250 port = https synproxy state (source-track rule, max-src-states 1, max-src-conn-rate 5/1, overload <virusprot>flush global, src.track 1) label "USER_RULE: Firewall Management"
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 1 ]
@50 pass in log quick on sis2 inet proto tcp from any to 212.25.4.30 port = rsh-spx synproxy state (source-track rule, max-src-states 1, max-src-conn-rate 5/1, overload <virusprot>flush global, src.track 1) label "USER_RULE: Firewall Management"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@51 pass in log quick on sis2 proto tcp from any to ipmi:1port = https synproxy state (source-track rule, max-src-states 1, max-src-conn-rate 5/1, overload <virusprot>flush global, src.track 1) label "USER_RULE: IPMI Management"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@52 pass in log quick on sis2 proto tcp from any to unity:1port = ssh synproxy state (source-track rule, max-src-states 1, max-src-conn-rate 5/1, overload <virusprot>flush global, src.track 1) label "USER_RULE: Unity SSH Access"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@53 pass in log quick on sis2 proto tcp from any to sw0:1port = http synproxy state (source-track rule, max-src-states 1, max-src-conn-rate 5/1, overload <virusprot>flush global, src.track 1) label "USER_RULE: Switch Management"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@54 pass in log quick on sis2 proto tcp from any to arc1231ml:1port = https synproxy state (source-track rule, max-src-states 1, max-src-conn-rate 5/1, overload <virusprot>flush global, src.track 1) label "USER_RULE: RAID Management"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@55 pass in quick on sis0 inet from 172.17.17.0/24 to any keep state label "USER_RULE: Default LAN -> any"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@56 pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@57 pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@58 pass in quick on sis2 inet proto tcp from any port = ftp-data to (sis2:1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@59 pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = 8022 keep state label "FTP PROXY: Allow traffic to localhost"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@60 pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@61 anchor "imspector" all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@62 anchor "miniupnpd" all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@63 block drop in log quick all label "Default block all just to be sure."
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@64 block drop out log quick all label "Default block all just to be sure."
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
No queue in useSTATES:
self tcp 172.17.17.250:222 <- 172.17.17.17:56069 ESTABLISHED:ESTABLISHED
[232999338 + 64128] wscale 8 [4130094954 + 66560] wscale 7
age 00:05:35, expires in 04:59:59, 908:956 pkts, 58144:185427 bytes
id: 48f9941400148c1e creatorid: 03ccbaa0
self tcp 172.17.17.250:30970 -> 172.17.17.250:61329 -> 172.17.17.17:22 TIME_WAIT:TIME_WAIT
[1448249574 + 5888] wscale 8 [710236459 + 66519] wscale 7
age 00:00:05, expires in 00:00:25, 4:4 pkts, 208:256 bytes, rule 34
id: 48f9941400148d27 creatorid: 43281e2d
self tcp 172.17.17.250:57557 -> 172.17.17.250:63123 -> 172.17.17.17:22 TIME_WAIT:TIME_WAIT
[3437643998 + 5888] wscale 8 [468405940 + 66519] wscale 7
age 00:00:20, expires in 00:00:10, 4:3 pkts, 208:204 bytes, rule 34
id: 48f9941400148d1d creatorid: 43281e2d
self tcp 77.56.108.199:53308 -> 172.17.17.250:63638 -> 172.17.17.17:22 ESTABLISHED:ESTABLISHED
[2465360198 + 16320] [377591790 + 65535]
age 00:14:08, expires in 04:59:59, 963:860 pkts, 57155:184100 bytes
id: 48f9941400148a7a creatorid: 03ccbaa0
self tcp 172.17.17.250:22668 -> 172.17.17.250:50902 -> 172.17.17.17:22 TIME_WAIT:TIME_WAIT
[270953047 + 5888] wscale 8 [392879556 + 66519] wscale 7
age 00:00:26, expires in 00:00:04, 4:3 pkts, 208:204 bytes, rule 34
id: 48f9941400148d19 creatorid: 43281e2d
self tcp 172.17.17.250:4839 -> 172.17.17.250:63200 -> 172.17.17.17:22 TIME_WAIT:TIME_WAIT
[2910484932 + 5888] wscale 8 [552531330 + 66519] wscale 7
age 00:00:15, expires in 00:00:15, 4:4 pkts, 208:256 bytes, rule 34
id: 48f9941400148d1f creatorid: 43281e2d
self tcp 172.17.17.250:45188 -> 172.17.17.250:53222 -> 172.17.17.17:22 TIME_WAIT:TIME_WAIT
[1298794834 + 5888] wscale 8 [233650270 + 66519] wscale 7
age 00:00:36, expires in 00:00:00, 4:4 pkts, 208:256 bytes, rule 34
id: 48f9941400148d11 creatorid: 43281e2d
self tcp 172.17.17.250:6502 -> 172.17.17.250:57072 -> 172.17.17.17:22 TIME_WAIT:TIME_WAIT
[2490816275 + 5888] wscale 8 [624944666 + 66519] wscale 7
age 00:00:10, expires in 00:00:20, 4:4 pkts, 208:256 bytes, rule 34
id: 48f9941400148d25 creatorid: 43281e2d
self tcp 172.17.17.250:10893 -> 172.17.17.250:53237 -> 172.17.17.17:22 TIME_WAIT:TIME_WAIT
[3873454032 + 5888] wscale 8 [317090911 + 66519] wscale 7
age 00:00:31, expires in 00:00:00, 4:4 pkts, 208:256 bytes, rule 34
id: 48f9941400148d15 creatorid: 43281e2d
self tcp 172.17.17.17:22 <- 212.25.4.28:22 <- 77.56.108.199:53308 ESTABLISHED:ESTABLISHED
377591790 + 65535 573942700 + 16320
age 00:14:08, expires in 04:59:59, 961:859 pkts, 57071:184056 bytes, source-track, sticky-address
id: 48f9941400148a79 creatorid: 03ccbaa0
self tcp 172.17.17.250:443 <- 212.25.4.30:443 <- 77.56.108.199:60146 FIN_WAIT_2:FIN_WAIT_2
3891263548 + 9648 3154738227 + 65534
age 00:00:43, expires in 00:00:00, 10:10 pkts, 1385:1359 bytes, rule 49, source-track
id: 48f9941400148d09 creatorid: 43281e2d
self tcp 172.17.17.250:50347 -> 172.17.17.250:56610 -> 172.17.17.252:80 FIN_WAIT_2:FIN_WAIT_2
[4259170932 + 1446] [1541000899 + 65534]
age 00:00:10, expires in 00:00:20, 4:3 pkts, 184:124 bytes, rule 34
id: 48f9941400148d22 creatorid: 43281e2d
self tcp 172.17.17.250:42814 -> 172.17.17.250:59246 -> 172.17.17.252:80 FIN_WAIT_2:FIN_WAIT_2
[4256733390 + 1446] [3550747993 + 65534]
age 00:00:15, expires in 00:00:15, 4:3 pkts, 184:124 bytes, rule 34
id: 48f9941400148d20 creatorid: 43281e2d
self tcp 172.17.17.250:7661 -> 172.17.17.250:57969 -> 172.17.17.252:80 FIN_WAIT_2:FIN_WAIT_2
[2509796519 + 1446] [3125640129 + 65534]
age 00:00:36, expires in 00:00:00, 4:3 pkts, 184:124 bytes, rule 34
id: 48f9941400148d10 creatorid: 43281e2d
self tcp 172.17.17.250:20263 -> 172.17.17.250:52392 -> 172.17.17.252:80 FIN_WAIT_2:FIN_WAIT_2
[1042620772 + 1446] [1113950290 + 65534]
age 00:00:31, expires in 00:00:00, 4:3 pkts, 184:124 bytes, rule 34
id: 48f9941400148d14 creatorid: 43281e2d
self tcp 172.17.17.250:37362 -> 172.17.17.250:58852 -> 172.17.17.252:80 FIN_WAIT_2:FIN_WAIT_2
[3848165941 + 1446] [3828389538 + 65534]
age 00:00:05, expires in 00:00:25, 4:3 pkts, 184:124 bytes, rule 34
id: 48f9941400148d26 creatorid: 43281e2d
self tcp 172.17.17.250:5314 -> 172.17.17.250:57061 -> 172.17.17.252:80 FIN_WAIT_2:FIN_WAIT_2
[3567756948 + 1446] [3396913258 + 65534]
age 00:00:26, expires in 00:00:04, 4:3 pkts, 184:124 bytes, rule 34
id: 48f9941400148d18 creatorid: 43281e2d
self tcp 172.17.17.250:40000 -> 172.17.17.250:63991 -> 172.17.17.252:80 FIN_WAIT_2:FIN_WAIT_2
[4101677653 + 1446] [1268744228 + 65534]
age 00:00:20, expires in 00:00:10, 4:3 pkts, 184:124 bytes, rule 34
id: 48f9941400148d1c creatorid: 43281e2d
self tcp 172.17.17.250:65073 -> 172.17.17.250:65034 -> 172.17.17.253:443 FIN_WAIT_2:FIN_WAIT_2
[4145778725 + 5792] wscale 8 [2341533048 + 66560] wscale 1
age 00:00:10, expires in 00:00:20, 4:2 pkts, 220:112 bytes, rule 34
id: 48f9941400148d24 creatorid: 43281e2d
self tcp 172.17.17.250:24052 -> 172.17.17.250:62307 -> 172.17.17.253:443 FIN_WAIT_2:FIN_WAIT_2
[2161382861 + 5792] wscale 8 [2329489218 + 66560] wscale 1
age 00:00:31, expires in 00:00:00, 4:2 pkts, 220:112 bytes, rule 34
id: 48f9941400148d12 creatorid: 43281e2d
self tcp 172.17.17.250:37139 -> 172.17.17.250:57984 -> 172.17.17.253:443 FIN_WAIT_2:FIN_WAIT_2
[4165103318 + 5792] wscale 8 [2312543900 + 66560] wscale 1
age 00:00:36, expires in 00:00:00, 4:2 pkts, 220:112 bytes, rule 34
id: 48f9941400148d0e creatorid: 43281e2d
self tcp 172.17.17.250:23815 -> 172.17.17.250:54433 -> 172.17.17.253:443 FIN_WAIT_2:FIN_WAIT_2
[2886265462 + 5792] wscale 8 [2329896515 + 66560] wscale 1
age 00:00:26, expires in 00:00:04, 4:2 pkts, 220:112 bytes, rule 34
id: 48f9941400148d16 creatorid: 43281e2d
self tcp 172.17.17.250:22055 -> 172.17.17.250:58573 -> 172.17.17.253:443 FIN_WAIT_2:FIN_WAIT_2
[2281684271 + 5792] wscale 8 [2332448097 + 66560] wscale 1
age 00:00:15, expires in 00:00:15, 4:2 pkts, 220:112 bytes, rule 34
id: 48f9941400148d1e creatorid: 43281e2d
self tcp 172.17.17.250:34124 -> 172.17.17.250:61171 -> 172.17.17.253:443 FIN_WAIT_2:FIN_WAIT_2
[4158672752 + 5792] wscale 8 [2336746588 + 66560] wscale 1
age 00:00:20, expires in 00:00:10, 4:2 pkts, 220:112 bytes, rule 34
id: 48f9941400148d1a creatorid: 43281e2d
self tcp 172.17.17.250:22299 -> 172.17.17.250:64503 -> 172.17.17.253:443 FIN_WAIT_2:FIN_WAIT_2
[1620644857 + 5792] wscale 8 [2340283693 + 66560] wscale 1
age 00:00:05, expires in 00:00:25, 4:2 pkts, 220:112 bytes, rule 34
id: 48f9941400148d28 creatorid: 43281e2d
self tcp 172.17.17.250:48854 -> 172.17.17.250:57606 -> 172.17.17.254:80 FIN_WAIT_2:FIN_WAIT_2
[1859060403 + 4096] [1974833318 + 65279]
age 00:00:10, expires in 00:00:20, 4:3 pkts, 184:120 bytes, rule 34
id: 48f9941400148d23 creatorid: 43281e2d
self tcp 172.17.17.250:51858 -> 172.17.17.250:54078 -> 172.17.17.254:80 FIN_WAIT_2:FIN_WAIT_2
[2465975669 + 4096] [2587129204 + 65279]
age 00:00:31, expires in 00:00:00, 4:3 pkts, 184:120 bytes, rule 34
id: 48f9941400148d13 creatorid: 43281e2d
self tcp 172.17.17.250:28264 -> 172.17.17.250:52554 -> 172.17.17.254:80 FIN_WAIT_2:FIN_WAIT_2
[2025935362 + 4096] [3251555864 + 65279]
age 00:00:20, expires in 00:00:10, 4:3 pkts, 184:120 bytes, rule 34
id: 48f9941400148d1b creatorid: 43281e2d
self tcp 172.17.17.250:63337 -> 172.17.17.250:56520 -> 172.17.17.254:80 FIN_WAIT_2:FIN_WAIT_2
[1318609598 + 4096] [3442098642 + 65279]
age 00:00:15, expires in 00:00:15, 4:3 pkts, 184:120 bytes, rule 34
id: 48f9941400148d21 creatorid: 43281e2d
self tcp 172.17.17.250:35193 -> 172.17.17.250:50921 -> 172.17.17.254:80 FIN_WAIT_2:FIN_WAIT_2
[1740830445 + 4096] [3797352221 + 65279]
age 00:00:26, expires in 00:00:04, 4:3 pkts, 184:120 bytes, rule 34
id: 48f9941400148d17 creatorid: 43281e2d
self tcp 172.17.17.250:39491 -> 172.17.17.250:57330 -> 172.17.17.254:80 FIN_WAIT_2:FIN_WAIT_2
[253618915 + 4096] [3340088615 + 65279]
age 00:00:36, expires in 00:00:00, 4:3 pkts, 184:120 bytes, rule 34
id: 48f9941400148d0f creatorid: 43281e2d
self tcp 172.17.17.250:50610 -> 172.17.17.250:59893 -> 172.17.17.254:80 FIN_WAIT_2:FIN_WAIT_2
[2972699482 + 4096] [3261166035 + 65279]
age 00:00:05, expires in 00:00:25, 4:3 pkts, 184:120 bytes, rule 34
id: 48f9941400148d29 creatorid: 43281e2d
self udp 172.17.17.250:53436 -> 172.17.17.250:53085 -> 172.17.17.5:53 SINGLE:NO_TRAFFIC
age 00:00:04, expires in 00:00:56, 1:0 pkts, 61:0 bytes, rule 34
id: 48f9941400148d2a creatorid: 43281e2d
self udp 172.17.17.250:514 -> 172.17.17.250:60792 -> 172.17.17.6:514 SINGLE:NO_TRAFFIC
age 00:02:38, expires in 00:00:28, 67:0 pkts, 18961:0 bytes
id: 48f9941400148cad creatorid: 03ccbaa0SOURCE TRACKING NODES:
77.56.108.199 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/1s )
age 00:00:59, expires in 00:00:00, 22 pkts, 2824 bytes
77.56.108.199 -> 172.17.17.17 ( states 1, connections 0, rate 0.0/0s )
age 00:14:08, 1820 pkts, 241127 bytes
77.56.108.199 -> 0.0.0.0 ( states 1, connections 1, rate 0.0/1s )
age 00:14:08, 1820 pkts, 241127 bytes
77.56.108.199 -> 0.0.0.0 ( states 1, connections 1, rate 0.0/1s )
age 00:00:43, 20 pkts, 2744 bytes, filter rule 49INFO:
Status: Enabled for 19 days 10:17:41 Debug: UrgentHostid: 0x43281e2d
Interface Stats for sis1 IPv4 IPv6
Bytes In 0 0
Bytes Out 0 0
Packets In
Passed 0 0
Blocked 0 0
Packets Out
Passed 0 0
Blocked 0 0State Table Total Rate
current entries 34
searches 11139878 6.6/s
inserts 1346859 0.8/s
removals 1346825 0.8/s
Source Tracking Table
current entries 4
searches 1491 0.0/s
inserts 452 0.0/s
removals 448 0.0/s
Counters
match 1365100 0.8/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 19 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 470 0.0/s
synproxy 695 0.0/s
Limit Counters
max states per rule 0 0.0/s
max-src-states 470 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 0 0.0/s
max-src-conn-rate 0 0.0/s
overload table insertion 0 0.0/s
overload flush states 0 0.0/sLABEL COUNTERS:
Block snort2c hosts 39 0 0
Block snort2c hosts 39 0 0
pass loopback 39 0 0
pass loopback 0 0 0
allow access to DHCP server on LAN 39 0 0
allow access to DHCP server on LAN 0 0 0
allow access to DHCP server on LAN 18 0 0
block dhcp client out wan 21 0 0
allow dhcp client out wan 0 0 0
virusprot overload table 39 0 0
let out anything from firewall host itself 39 0 0
let out anything from firewall host itself 21 0 0
let out anything from firewall host itself 18 0 0
let out anything from firewall host itself 39 0 0
let out anything from firewall host itself 18 119 5949
let out anything from firewall host itself 0 0 0
IPSEC internal host to host 0 0 0
let out anything from firewall host itself 0 0 0
let out anything from firewall host itself 0 0 0
anti-lockout web rule 21 0 0
sshlockout 21 0 0
USER_RULE 21 0 0
USER_RULE: ICMP IPv4 21 0 0
USER_RULE: IPv6 ICMP Router ADV 0 0 0
USER_RULE: Firewall Management 21 0 0
USER_RULE: Firewall Management 0 0 0
USER_RULE: IPMI Management 0 0 0
USER_RULE: Unity SSH Access 0 0 0
USER_RULE: Switch Management 0 0 0
USER_RULE: RAID Management 0 0 0
USER_RULE: Default LAN -> any 0 0 0
FTP PROXY: Allow traffic to localhost 0 0 0
FTP PROXY: Allow traffic to localhost 0 0 0
FTP PROXY: PASV mode data connection 0 0 0
FTP PROXY: Allow traffic to localhost 0 0 0
FTP PROXY: Allow traffic to localhost 0 0 0
Default block all just to be sure. 0 0 0
Default block all just to be sure. 0 0 0TIMEOUTS:
tcp.first 30s
tcp.opening 5s
tcp.established 18000s
tcp.closing 60s
tcp.finwait 30s
tcp.closed 30s
tcp.tsdiff 10s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 0 states
adaptive.end 0 states
src.track 0sLIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000TABLES:
–a-r- arc1231ml
Addresses: 1
Cleared: Sat Oct 18 07:45:24 2008
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 8464 Match: 63 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
–a-r- immunity
Addresses: 1
Cleared: Sat Oct 18 07:45:24 2008
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 19456 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
–a-r- ipmi
Addresses: 1
Cleared: Sat Oct 18 07:45:24 2008
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 9007 Match: 14 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 22 Bytes: 972 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 14 Bytes: 560 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
-pa-r- snort2c
Addresses: 0
Cleared: Sat Oct 18 07:45:24 2008
References: [ Anchors: 0 Rules: 2 ]
Evaluations: [ NoMatch: 2730188 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
-pa-r- sshlockout
Addresses: 0
Cleared: Sat Oct 18 07:45:24 2008
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 9241 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
–a-r- sw0
Addresses: 1
Cleared: Sat Oct 18 07:45:24 2008
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 8527 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
–a-r- unity
Addresses: 1
Cleared: Sat Oct 18 07:45:24 2008
References: [ Anchors: 0 Rules: 2 ]
Evaluations: [ NoMatch: 8527 Match: 480 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 126122 Bytes: 8834575 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 93742 Bytes: 27705305 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
–a-r- virusprot
Addresses: 0
Cleared: Thu Jan 1 00:00:00 1970
References: [ Anchors: 0 Rules: 5 ]
Evaluations: [ NoMatch: 19468 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
–a-r- vpns
Addresses: 0
Cleared: Sat Oct 18 07:45:24 2008
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 12 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]OS FINGERPRINTS:
348 fingerprints loaded</virusprot></arc1231ml:1></virusprot></sw0:1></virusprot></unity:1></virusprot></ipmi:1></virusprot></virusprot></immunity:1></sshlockout:0></virusprot:0></snort2c:0></snort2c:0></vpns:0> -
are you even passing traffic on this thing most of your rule counters are 0?!
Are you doing an assymetric routing somehow?
Do you by any chance have any proxy arp on the sis1(WAN?) interface? -
The box is merely guarding some admin ports, so it is very lightly loaded, despite I tried to reset the counters, to get rid of any error counters that happened in the past.
In the setup intended it does Proxy ARP for some IPs, it does even "loadBalance", but merely to proxy the request. But I also remove the whole ProxyARP and LB Stuff and it still happened….
This are the counters after zeroing the counters, connecting, waiting in vain for some web content to show up, in hope, that something would show up in the output.