1.2-RELEASE too SLOW to use…. I have a clue....



  • Hi folks

    I do have a 1.2-RELEASE on a Soekris NET-4801, which was working fine while using over LAN, but now I'm using it over WAN and it is too slow to use, it takes ages to load pages.

    If needed, I can submit a obfuscated config file…

    Getting slowly insane I issued a "pfctl -F rules", which essentially clears all firewall rules, but keeps the NAT, so I can access the box from remote, and suddently pfsense get's responsive! I can now even SSH from remote to my pfsense box.

    I haven't enabled Traffic Shaper, I marked that Checksum Offloading is disabled, even though it seemed to work fine.... Meanwhile the box is as much reduced in terms of configuration to find the bug, that I can say that the only special things are that it is managed over ssl and has a nat rule vom external to the internal port 443 (for Management) and some more legacy rules. As a side-note if does have a Hifn 7955 Encryption module.

    I have to dig deeper into it, to see which rules, or if any rule at all causes the trouble, but as always - so little time. In case someone has also the trouble, and I saw numerous posts about it, I leave this as a hint.... and will complete it once I figured it or hope for someone to figure it first.

    regards
    Philipp



  • Is this what you are seeing?

    SEARCH: WAN interface slow

    http://forum.pfsense.org/index.php/topic,10436.0.html



  • I saw this entry… but it's a mess....

    I don't use any beta software or pre-relase, it's the RELEASE version I use.
    I dont run any PPPoE or stuff that can cause mss issues
    My problem goes away when I flush the rules, so Checksum offloading can't be the cause, even though I disabled it for testing.
    Not only is web-access for the GUI slow, ANY traffic going though the box is dead SLOW, be it a webserver behing, or SSH Access to the pfsense box.

    So we talking here acout a Soekris NET4801, without any fancy intel NICs, plain simple ethernet wiring and a RELEASE version...

    regards
    Philipp



  • Things to check:

    Status -> System
    Check the CPU and RAM load.
    What is the 'State table size'?

    Status -> Interfaces
    Is there any In/out errors?

    System -> Advanced
    'Enable Secure Shell' make sure the box is checked.
    Then SSH into the the pfSense firewall, I typically use putty for this. Press 8 and then run the following command: top
    Report back the top processes.



  • CPU Load: 5-6%
    RAM Load: 40%
    State Table: 32/10000
    No Interface Errors

    last pid: 98670;  load averages:  0.09,  0.10,  0.09                                                                                          up 19+10:15:26  17:58:30
    39 processes:  1 running, 35 sleeping, 3 zombie
    CPU states:  0.4% user,  0.0% nice,  2.3% system,  1.2% interrupt, 96.1% idle
    Mem: 30M Active, 9192K Inact, 19M Wired, 12K Cache, 13M Buf, 59M Free
    Swap: 1024M Total, 1024M Free

    PID USERNAME  THR PRI NICE  SIZE    RES STATE    TIME  WCPU COMMAND
      461 root        1  4    0 23172K 20232K accept  0:07  0.24% php
      305 root        7  20    0  2196K  1160K kserel 102:37  0.00% slbd
      670 root        1  -8  20  2328K  1688K piperd  58:00  0.00% sh
      715 root        1  8  -88  1408K  836K nanslp  6:38  0.00% watchdogd
      453 root        1  4    0  3444K  2880K kqread  3:41  0.00% lighttpd
      293 root        1 -58    0  3916K  2248K bpf      2:26  0.00% tcpdump
      613 root        1  96    0  5848K  5504K select  1:16  0.00% bsnmpd
      187 root        1  96    0  1388K  1012K select  0:41  0.00% syslogd
      798 root        1  8    0  1384K  992K nanslp  0:39  0.00% cron
      403 proxy      1  4    0  704K  452K kqread  0:36  0.00% pftpx
      792 root        1  96    0  1372K  1004K select  0:20  0.00% ntpd
      809 root        1  8    0  1268K  708K nanslp  0:10  0.00% minicron
      294 root        1  -8    0  1276K  704K piperd  0:07  0.00% logger
      509 root        1  96    0  1280K  692K select  0:06  0.00% choparp
    91457 root        1  8  20  1272K  716K nanslp  0:04  0.00% check_reload_status
      740 _ntp        1  96    0  1340K  1012K select  0:01  0.00% ntpd
    98622 root        1  96    0  5756K  2808K select  0:01  0.00% sshd
    98645 root        1  96    0  2356K  1516K RUN      0:00  0.00% top
    98640 root        1  20    0  3908K  2600K pause    0:00  0.00% tcsh
      454 root        1  8    0 14924K  5016K wait    0:00  0.00% php
      458 root        1  8    0 14924K  5016K wait    0:00  0.00% php
    98355 proxy      1 -58  20  852K  640K bpf      0:00  0.00% ftpsesame
    98625 root        1  8    0  1728K  1092K wait    0:00  0.00% sh
    42760 root        1  20  20  2260K  1320K pause    0:00  0.00% top
    42759 root        1  8  20  2328K  1688K wait    0:00  0.00% sh
      261 root        1  96    0  3064K  2380K select  0:00  0.00% sshd
    42761 root        1  -8  20  1564K  1028K piperd  0:00  0.00% awk
    91445 root        1  -8    0  1392K  1056K piperd  0:00  0.00% cron
      104 root        1  96    0  504K  360K select  0:00  0.00% devd
      460 root        1  4    0 14924K  5088K accept  0:00  0.00% php



  • Output of pfctl -vv -s all:

    TRANSLATION RULES:
    @0 nat-anchor "pftpx/" all
      [ Evaluations: 35        Packets: 0        Bytes: 0          States: 0    ]
    @1 nat-anchor "natearly/
    " all
      [ Evaluations: 35        Packets: 0        Bytes: 0          States: 0    ]
    @2 nat-anchor "natrules/" all
      [ Evaluations: 35        Packets: 0        Bytes: 0          States: 0    ]
    @3 nat on sis2 inet from 172.17.17.0/24 to any -> (sis2) round-robin
      [ Evaluations: 35        Packets: 0        Bytes: 0          States: 0    ]
    @4 nat on sis0 inet from any to 172.17.17.0/24 -> (sis0) round-robin
      [ Evaluations: 35        Packets: 223      Bytes: 11221      States: 29    ]
    @0 rdr-anchor "pftpx/
    " all
      [ Evaluations: 32        Packets: 0        Bytes: 0          States: 0    ]
    @1 rdr-anchor "slb" all
      [ Evaluations: 32        Packets: 0        Bytes: 0          States: 0    ]
    @2 no rdr on sis0 proto tcp from any to vpns:0port = ftp
      [ Evaluations: 32        Packets: 0        Bytes: 0          States: 0    ]
    @3 rdr on sis0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @4 rdr on sis2 inet proto tcp from any to 212.25.4.30 port = https -> 172.17.17.250
      [ Evaluations: 32        Packets: 20        Bytes: 2744        States: 1    ]
    @5 rdr-anchor "imspector" all
      [ Evaluations: 2        Packets: 0        Bytes: 0          States: 0    ]
    @6 rdr-anchor "miniupnpd" all
      [ Evaluations: 2        Packets: 0        Bytes: 0          States: 0    ]

    FILTER RULES:
    @0 anchor "ftpsesame/" all
      [ Evaluations: 37        Packets: 0        Bytes: 0          States: 0    ]
    @1 anchor "firewallrules" all
      [ Evaluations: 37        Packets: 0        Bytes: 0          States: 0    ]
    @2 block drop quick proto tcp from any port = 0 to any
      [ Evaluations: 37        Packets: 0        Bytes: 0          States: 0    ]
    @3 block drop quick proto tcp from any to any port = 0
      [ Evaluations: 36        Packets: 0        Bytes: 0          States: 0    ]
    @4 block drop quick proto udp from any port = 0 to any
      [ Evaluations: 37        Packets: 0        Bytes: 0          States: 0    ]
    @5 block drop quick proto udp from any to any port = 0
      [ Evaluations: 1        Packets: 0        Bytes: 0          States: 0    ]
    @6 block drop quick from snort2c:0to any label "Block snort2c hosts"
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @7 block drop quick from any to snort2c:0label "Block snort2c hosts"
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @8 anchor "loopback" all
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @9 pass in quick on lo0 all label "pass loopback"
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @10 pass out quick on lo0 all label "pass loopback"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @11 anchor "packageearly" all
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @12 anchor "carp" all
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @13 pass quick inet proto icmp from 212.25.4.30 to any keep state
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @14 anchor "dhcpserverlan" all
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @15 pass in quick on sis0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps label "allow access to DHCP server on LAN"
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @16 pass in quick on sis0 inet proto udp from any port = bootpc to 172.17.17.250 port = bootps label "allow access to DHCP server on LAN"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @17 pass out quick on sis0 inet proto udp from 172.17.17.250 port = bootps to any port = bootpc label "allow access to DHCP server on LAN"
      [ Evaluations: 17        Packets: 0        Bytes: 0          States: 0    ]
    @18 block drop in log quick on sis2 inet proto udp from any port = bootps to 172.17.17.0/24 port = bootpc label "block dhcp client out wan"
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @19 pass in quick on sis2 proto udp from any port = bootps to any port = bootpc label "allow dhcp client out wan"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @20 block drop in on ! sis0 inet from 172.17.17.0/24 to any
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @21 block drop in inet from 172.17.17.250 to any
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @22 block drop in on ! sis1 inet from 192.168.144.0/24 to any
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @23 block drop in inet from 192.168.144.44 to any
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @24 block drop in on sis0 inet6 from fe80::200:24ff:fec4:2ba8 to any
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @25 block drop in on sis1 inet6 from fe80::200:24ff:fec4:2ba9 to any
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @26 anchor "spoofing" all
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @27 anchor "limitingesr" all
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @28 block drop in quick from virusprot:0to any label "virusprot overload table"
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @29 pass out quick on sis0 proto icmp all keep state label "let out anything from firewall host itself"
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @30 pass out quick on sis2 proto icmp all keep state label "let out anything from firewall host itself"
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @31 pass out quick on sis2 all keep state label "let out anything from firewall host itself"
      [ Evaluations: 17        Packets: 0        Bytes: 0          States: 0    ]
    @32 anchor "firewallout" all
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @33 pass out quick on sis2 all keep state label "let out anything from firewall host itself"
      [ Evaluations: 38        Packets: 0        Bytes: 0          States: 0    ]
    @34 pass out quick on sis0 all keep state label "let out anything from firewall host itself"
      [ Evaluations: 17        Packets: 112      Bytes: 5641        States: 29    ]
    @35 pass out quick on sis1 all keep state label "let out anything from firewall host itself"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @36 pass out quick on enc0 all keep state label "IPSEC internal host to host"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @37 pass out quick on sis1 proto icmp all keep state label "let out anything from firewall host itself"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @38 pass out quick on sis1 all keep state label "let out anything from firewall host itself"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @39 anchor "anti-lockout" all
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @40 pass in quick on sis0 inet from any to 172.17.17.250 keep state label "anti-lockout web rule"
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @41 block drop in log proto tcp from sshlockout:0to any port = ssh label "sshlockout"
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @42 anchor "ftpproxy" all
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @43 anchor "pftpx/
    " all
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @44 pass quick proto carp all
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @45 pass quick proto pfsync all
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @46 pass in log quick on sis2 from immunity:1to any keep state label "USER_RULE"
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @47 pass in quick on sis2 inet proto icmp from any to 212.25.4.24/29 icmp-type echoreq keep state label "USER_RULE: ICMP IPv4"
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 0    ]
    @48 pass in quick on sis2 inet proto icmp from any to 212.25.4.30 icmp-type routeradv keep state label "USER_RULE: IPv6 ICMP Router ADV"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @49 pass in log quick on sis2 inet proto tcp from any to 172.17.17.250 port = https synproxy state (source-track rule, max-src-states 1, max-src-conn-rate 5/1, overload <virusprot>flush global, src.track 1) label "USER_RULE: Firewall Management"
      [ Evaluations: 21        Packets: 0        Bytes: 0          States: 1    ]
    @50 pass in log quick on sis2 inet proto tcp from any to 212.25.4.30 port = rsh-spx synproxy state (source-track rule, max-src-states 1, max-src-conn-rate 5/1, overload <virusprot>flush global, src.track 1) label "USER_RULE: Firewall Management"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @51 pass in log quick on sis2 proto tcp from any to ipmi:1port = https synproxy state (source-track rule, max-src-states 1, max-src-conn-rate 5/1, overload <virusprot>flush global, src.track 1) label "USER_RULE: IPMI Management"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @52 pass in log quick on sis2 proto tcp from any to unity:1port = ssh synproxy state (source-track rule, max-src-states 1, max-src-conn-rate 5/1, overload <virusprot>flush global, src.track 1) label "USER_RULE: Unity SSH Access"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @53 pass in log quick on sis2 proto tcp from any to sw0:1port = http synproxy state (source-track rule, max-src-states 1, max-src-conn-rate 5/1, overload <virusprot>flush global, src.track 1) label "USER_RULE: Switch Management"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @54 pass in log quick on sis2 proto tcp from any to arc1231ml:1port = https synproxy state (source-track rule, max-src-states 1, max-src-conn-rate 5/1, overload <virusprot>flush global, src.track 1) label "USER_RULE: RAID Management"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @55 pass in quick on sis0 inet from 172.17.17.0/24 to any keep state label "USER_RULE: Default LAN -> any"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @56 pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy keep state label "FTP PROXY: Allow traffic to localhost"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @57 pass in quick on sis0 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @58 pass in quick on sis2 inet proto tcp from any port = ftp-data to (sis2:1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @59 pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = 8022 keep state label "FTP PROXY: Allow traffic to localhost"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @60 pass in quick on sis1 inet proto tcp from any to 127.0.0.1 port = ftp keep state label "FTP PROXY: Allow traffic to localhost"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @61 anchor "imspector" all
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @62 anchor "miniupnpd" all
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @63 block drop in log quick all label "Default block all just to be sure."
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    @64 block drop out log quick all label "Default block all just to be sure."
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
    No queue in use

    STATES:
    self tcp 172.17.17.250:222 <- 172.17.17.17:56069      ESTABLISHED:ESTABLISHED
      [232999338 + 64128] wscale 8  [4130094954 + 66560] wscale 7
      age 00:05:35, expires in 04:59:59, 908:956 pkts, 58144:185427 bytes
      id: 48f9941400148c1e creatorid: 03ccbaa0
    self tcp 172.17.17.250:30970 -> 172.17.17.250:61329 -> 172.17.17.17:22      TIME_WAIT:TIME_WAIT
      [1448249574 + 5888] wscale 8  [710236459 + 66519] wscale 7
      age 00:00:05, expires in 00:00:25, 4:4 pkts, 208:256 bytes, rule 34
      id: 48f9941400148d27 creatorid: 43281e2d
    self tcp 172.17.17.250:57557 -> 172.17.17.250:63123 -> 172.17.17.17:22      TIME_WAIT:TIME_WAIT
      [3437643998 + 5888] wscale 8  [468405940 + 66519] wscale 7
      age 00:00:20, expires in 00:00:10, 4:3 pkts, 208:204 bytes, rule 34
      id: 48f9941400148d1d creatorid: 43281e2d
    self tcp 77.56.108.199:53308 -> 172.17.17.250:63638 -> 172.17.17.17:22      ESTABLISHED:ESTABLISHED
      [2465360198 + 16320]  [377591790 + 65535]
      age 00:14:08, expires in 04:59:59, 963:860 pkts, 57155:184100 bytes
      id: 48f9941400148a7a creatorid: 03ccbaa0
    self tcp 172.17.17.250:22668 -> 172.17.17.250:50902 -> 172.17.17.17:22      TIME_WAIT:TIME_WAIT
      [270953047 + 5888] wscale 8  [392879556 + 66519] wscale 7
      age 00:00:26, expires in 00:00:04, 4:3 pkts, 208:204 bytes, rule 34
      id: 48f9941400148d19 creatorid: 43281e2d
    self tcp 172.17.17.250:4839 -> 172.17.17.250:63200 -> 172.17.17.17:22      TIME_WAIT:TIME_WAIT
      [2910484932 + 5888] wscale 8  [552531330 + 66519] wscale 7
      age 00:00:15, expires in 00:00:15, 4:4 pkts, 208:256 bytes, rule 34
      id: 48f9941400148d1f creatorid: 43281e2d
    self tcp 172.17.17.250:45188 -> 172.17.17.250:53222 -> 172.17.17.17:22      TIME_WAIT:TIME_WAIT
      [1298794834 + 5888] wscale 8  [233650270 + 66519] wscale 7
      age 00:00:36, expires in 00:00:00, 4:4 pkts, 208:256 bytes, rule 34
      id: 48f9941400148d11 creatorid: 43281e2d
    self tcp 172.17.17.250:6502 -> 172.17.17.250:57072 -> 172.17.17.17:22      TIME_WAIT:TIME_WAIT
      [2490816275 + 5888] wscale 8  [624944666 + 66519] wscale 7
      age 00:00:10, expires in 00:00:20, 4:4 pkts, 208:256 bytes, rule 34
      id: 48f9941400148d25 creatorid: 43281e2d
    self tcp 172.17.17.250:10893 -> 172.17.17.250:53237 -> 172.17.17.17:22      TIME_WAIT:TIME_WAIT
      [3873454032 + 5888] wscale 8  [317090911 + 66519] wscale 7
      age 00:00:31, expires in 00:00:00, 4:4 pkts, 208:256 bytes, rule 34
      id: 48f9941400148d15 creatorid: 43281e2d
    self tcp 172.17.17.17:22 <- 212.25.4.28:22 <- 77.56.108.199:53308      ESTABLISHED:ESTABLISHED
      377591790 + 65535  573942700 + 16320
      age 00:14:08, expires in 04:59:59, 961:859 pkts, 57071:184056 bytes, source-track, sticky-address
      id: 48f9941400148a79 creatorid: 03ccbaa0
    self tcp 172.17.17.250:443 <- 212.25.4.30:443 <- 77.56.108.199:60146      FIN_WAIT_2:FIN_WAIT_2
      3891263548 + 9648  3154738227 + 65534
      age 00:00:43, expires in 00:00:00, 10:10 pkts, 1385:1359 bytes, rule 49, source-track
      id: 48f9941400148d09 creatorid: 43281e2d
    self tcp 172.17.17.250:50347 -> 172.17.17.250:56610 -> 172.17.17.252:80      FIN_WAIT_2:FIN_WAIT_2
      [4259170932 + 1446]  [1541000899 + 65534]
      age 00:00:10, expires in 00:00:20, 4:3 pkts, 184:124 bytes, rule 34
      id: 48f9941400148d22 creatorid: 43281e2d
    self tcp 172.17.17.250:42814 -> 172.17.17.250:59246 -> 172.17.17.252:80      FIN_WAIT_2:FIN_WAIT_2
      [4256733390 + 1446]  [3550747993 + 65534]
      age 00:00:15, expires in 00:00:15, 4:3 pkts, 184:124 bytes, rule 34
      id: 48f9941400148d20 creatorid: 43281e2d
    self tcp 172.17.17.250:7661 -> 172.17.17.250:57969 -> 172.17.17.252:80      FIN_WAIT_2:FIN_WAIT_2
      [2509796519 + 1446]  [3125640129 + 65534]
      age 00:00:36, expires in 00:00:00, 4:3 pkts, 184:124 bytes, rule 34
      id: 48f9941400148d10 creatorid: 43281e2d
    self tcp 172.17.17.250:20263 -> 172.17.17.250:52392 -> 172.17.17.252:80      FIN_WAIT_2:FIN_WAIT_2
      [1042620772 + 1446]  [1113950290 + 65534]
      age 00:00:31, expires in 00:00:00, 4:3 pkts, 184:124 bytes, rule 34
      id: 48f9941400148d14 creatorid: 43281e2d
    self tcp 172.17.17.250:37362 -> 172.17.17.250:58852 -> 172.17.17.252:80      FIN_WAIT_2:FIN_WAIT_2
      [3848165941 + 1446]  [3828389538 + 65534]
      age 00:00:05, expires in 00:00:25, 4:3 pkts, 184:124 bytes, rule 34
      id: 48f9941400148d26 creatorid: 43281e2d
    self tcp 172.17.17.250:5314 -> 172.17.17.250:57061 -> 172.17.17.252:80      FIN_WAIT_2:FIN_WAIT_2
      [3567756948 + 1446]  [3396913258 + 65534]
      age 00:00:26, expires in 00:00:04, 4:3 pkts, 184:124 bytes, rule 34
      id: 48f9941400148d18 creatorid: 43281e2d
    self tcp 172.17.17.250:40000 -> 172.17.17.250:63991 -> 172.17.17.252:80      FIN_WAIT_2:FIN_WAIT_2
      [4101677653 + 1446]  [1268744228 + 65534]
      age 00:00:20, expires in 00:00:10, 4:3 pkts, 184:124 bytes, rule 34
      id: 48f9941400148d1c creatorid: 43281e2d
    self tcp 172.17.17.250:65073 -> 172.17.17.250:65034 -> 172.17.17.253:443      FIN_WAIT_2:FIN_WAIT_2
      [4145778725 + 5792] wscale 8  [2341533048 + 66560] wscale 1
      age 00:00:10, expires in 00:00:20, 4:2 pkts, 220:112 bytes, rule 34
      id: 48f9941400148d24 creatorid: 43281e2d
    self tcp 172.17.17.250:24052 -> 172.17.17.250:62307 -> 172.17.17.253:443      FIN_WAIT_2:FIN_WAIT_2
      [2161382861 + 5792] wscale 8  [2329489218 + 66560] wscale 1
      age 00:00:31, expires in 00:00:00, 4:2 pkts, 220:112 bytes, rule 34
      id: 48f9941400148d12 creatorid: 43281e2d
    self tcp 172.17.17.250:37139 -> 172.17.17.250:57984 -> 172.17.17.253:443      FIN_WAIT_2:FIN_WAIT_2
      [4165103318 + 5792] wscale 8  [2312543900 + 66560] wscale 1
      age 00:00:36, expires in 00:00:00, 4:2 pkts, 220:112 bytes, rule 34
      id: 48f9941400148d0e creatorid: 43281e2d
    self tcp 172.17.17.250:23815 -> 172.17.17.250:54433 -> 172.17.17.253:443      FIN_WAIT_2:FIN_WAIT_2
      [2886265462 + 5792] wscale 8  [2329896515 + 66560] wscale 1
      age 00:00:26, expires in 00:00:04, 4:2 pkts, 220:112 bytes, rule 34
      id: 48f9941400148d16 creatorid: 43281e2d
    self tcp 172.17.17.250:22055 -> 172.17.17.250:58573 -> 172.17.17.253:443      FIN_WAIT_2:FIN_WAIT_2
      [2281684271 + 5792] wscale 8  [2332448097 + 66560] wscale 1
      age 00:00:15, expires in 00:00:15, 4:2 pkts, 220:112 bytes, rule 34
      id: 48f9941400148d1e creatorid: 43281e2d
    self tcp 172.17.17.250:34124 -> 172.17.17.250:61171 -> 172.17.17.253:443      FIN_WAIT_2:FIN_WAIT_2
      [4158672752 + 5792] wscale 8  [2336746588 + 66560] wscale 1
      age 00:00:20, expires in 00:00:10, 4:2 pkts, 220:112 bytes, rule 34
      id: 48f9941400148d1a creatorid: 43281e2d
    self tcp 172.17.17.250:22299 -> 172.17.17.250:64503 -> 172.17.17.253:443      FIN_WAIT_2:FIN_WAIT_2
      [1620644857 + 5792] wscale 8  [2340283693 + 66560] wscale 1
      age 00:00:05, expires in 00:00:25, 4:2 pkts, 220:112 bytes, rule 34
      id: 48f9941400148d28 creatorid: 43281e2d
    self tcp 172.17.17.250:48854 -> 172.17.17.250:57606 -> 172.17.17.254:80      FIN_WAIT_2:FIN_WAIT_2
      [1859060403 + 4096]  [1974833318 + 65279]
      age 00:00:10, expires in 00:00:20, 4:3 pkts, 184:120 bytes, rule 34
      id: 48f9941400148d23 creatorid: 43281e2d
    self tcp 172.17.17.250:51858 -> 172.17.17.250:54078 -> 172.17.17.254:80      FIN_WAIT_2:FIN_WAIT_2
      [2465975669 + 4096]  [2587129204 + 65279]
      age 00:00:31, expires in 00:00:00, 4:3 pkts, 184:120 bytes, rule 34
      id: 48f9941400148d13 creatorid: 43281e2d
    self tcp 172.17.17.250:28264 -> 172.17.17.250:52554 -> 172.17.17.254:80      FIN_WAIT_2:FIN_WAIT_2
      [2025935362 + 4096]  [3251555864 + 65279]
      age 00:00:20, expires in 00:00:10, 4:3 pkts, 184:120 bytes, rule 34
      id: 48f9941400148d1b creatorid: 43281e2d
    self tcp 172.17.17.250:63337 -> 172.17.17.250:56520 -> 172.17.17.254:80      FIN_WAIT_2:FIN_WAIT_2
      [1318609598 + 4096]  [3442098642 + 65279]
      age 00:00:15, expires in 00:00:15, 4:3 pkts, 184:120 bytes, rule 34
      id: 48f9941400148d21 creatorid: 43281e2d
    self tcp 172.17.17.250:35193 -> 172.17.17.250:50921 -> 172.17.17.254:80      FIN_WAIT_2:FIN_WAIT_2
      [1740830445 + 4096]  [3797352221 + 65279]
      age 00:00:26, expires in 00:00:04, 4:3 pkts, 184:120 bytes, rule 34
      id: 48f9941400148d17 creatorid: 43281e2d
    self tcp 172.17.17.250:39491 -> 172.17.17.250:57330 -> 172.17.17.254:80      FIN_WAIT_2:FIN_WAIT_2
      [253618915 + 4096]  [3340088615 + 65279]
      age 00:00:36, expires in 00:00:00, 4:3 pkts, 184:120 bytes, rule 34
      id: 48f9941400148d0f creatorid: 43281e2d
    self tcp 172.17.17.250:50610 -> 172.17.17.250:59893 -> 172.17.17.254:80      FIN_WAIT_2:FIN_WAIT_2
      [2972699482 + 4096]  [3261166035 + 65279]
      age 00:00:05, expires in 00:00:25, 4:3 pkts, 184:120 bytes, rule 34
      id: 48f9941400148d29 creatorid: 43281e2d
    self udp 172.17.17.250:53436 -> 172.17.17.250:53085 -> 172.17.17.5:53      SINGLE:NO_TRAFFIC
      age 00:00:04, expires in 00:00:56, 1:0 pkts, 61:0 bytes, rule 34
      id: 48f9941400148d2a creatorid: 43281e2d
    self udp 172.17.17.250:514 -> 172.17.17.250:60792 -> 172.17.17.6:514      SINGLE:NO_TRAFFIC
      age 00:02:38, expires in 00:00:28, 67:0 pkts, 18961:0 bytes
      id: 48f9941400148cad creatorid: 03ccbaa0

    SOURCE TRACKING NODES:
    77.56.108.199 -> 0.0.0.0 ( states 0, connections 0, rate 0.0/1s )
      age 00:00:59, expires in 00:00:00, 22 pkts, 2824 bytes
    77.56.108.199 -> 172.17.17.17 ( states 1, connections 0, rate 0.0/0s )
      age 00:14:08, 1820 pkts, 241127 bytes
    77.56.108.199 -> 0.0.0.0 ( states 1, connections 1, rate 0.0/1s )
      age 00:14:08, 1820 pkts, 241127 bytes
    77.56.108.199 -> 0.0.0.0 ( states 1, connections 1, rate 0.0/1s )
      age 00:00:43, 20 pkts, 2744 bytes, filter rule 49

    INFO:
    Status: Enabled for 19 days 10:17:41          Debug: Urgent

    Hostid: 0x43281e2d

    Interface Stats for sis1              IPv4            IPv6
      Bytes In                              0                0
      Bytes Out                              0                0
      Packets In
        Passed                              0                0
        Blocked                              0                0
      Packets Out
        Passed                              0                0
        Blocked                              0                0

    State Table                          Total            Rate
      current entries                      34             
      searches                        11139878            6.6/s
      inserts                          1346859            0.8/s
      removals                        1346825            0.8/s
    Source Tracking Table
      current entries                        4             
      searches                            1491            0.0/s
      inserts                              452            0.0/s
      removals                            448            0.0/s
    Counters
      match                            1365100            0.8/s
      bad-offset                            0            0.0/s
      fragment                              0            0.0/s
      short                                  0            0.0/s
      normalize                              0            0.0/s
      memory                                0            0.0/s
      bad-timestamp                          0            0.0/s
      congestion                            0            0.0/s
      ip-option                              0            0.0/s
      proto-cksum                            0            0.0/s
      state-mismatch                        19            0.0/s
      state-insert                          0            0.0/s
      state-limit                            0            0.0/s
      src-limit                            470            0.0/s
      synproxy                            695            0.0/s
    Limit Counters
      max states per rule                    0            0.0/s
      max-src-states                      470            0.0/s
      max-src-nodes                          0            0.0/s
      max-src-conn                          0            0.0/s
      max-src-conn-rate                      0            0.0/s
      overload table insertion              0            0.0/s
      overload flush states                  0            0.0/s

    LABEL COUNTERS:
    Block snort2c hosts 39 0 0
    Block snort2c hosts 39 0 0
    pass loopback 39 0 0
    pass loopback 0 0 0
    allow access to DHCP server on LAN 39 0 0
    allow access to DHCP server on LAN 0 0 0
    allow access to DHCP server on LAN 18 0 0
    block dhcp client out wan 21 0 0
    allow dhcp client out wan 0 0 0
    virusprot overload table 39 0 0
    let out anything from firewall host itself 39 0 0
    let out anything from firewall host itself 21 0 0
    let out anything from firewall host itself 18 0 0
    let out anything from firewall host itself 39 0 0
    let out anything from firewall host itself 18 119 5949
    let out anything from firewall host itself 0 0 0
    IPSEC internal host to host 0 0 0
    let out anything from firewall host itself 0 0 0
    let out anything from firewall host itself 0 0 0
    anti-lockout web rule 21 0 0
    sshlockout 21 0 0
    USER_RULE 21 0 0
    USER_RULE: ICMP IPv4 21 0 0
    USER_RULE: IPv6 ICMP Router ADV 0 0 0
    USER_RULE: Firewall Management 21 0 0
    USER_RULE: Firewall Management 0 0 0
    USER_RULE: IPMI Management 0 0 0
    USER_RULE: Unity SSH Access 0 0 0
    USER_RULE: Switch Management 0 0 0
    USER_RULE: RAID Management 0 0 0
    USER_RULE: Default LAN -> any 0 0 0
    FTP PROXY: Allow traffic to localhost 0 0 0
    FTP PROXY: Allow traffic to localhost 0 0 0
    FTP PROXY: PASV mode data connection 0 0 0
    FTP PROXY: Allow traffic to localhost 0 0 0
    FTP PROXY: Allow traffic to localhost 0 0 0
    Default block all just to be sure. 0 0 0
    Default block all just to be sure. 0 0 0

    TIMEOUTS:
    tcp.first                    30s
    tcp.opening                  5s
    tcp.established          18000s
    tcp.closing                  60s
    tcp.finwait                  30s
    tcp.closed                  30s
    tcp.tsdiff                  10s
    udp.first                    60s
    udp.single                  30s
    udp.multiple                60s
    icmp.first                  20s
    icmp.error                  10s
    other.first                  60s
    other.single                30s
    other.multiple              60s
    frag                        30s
    interval                    10s
    adaptive.start                0 states
    adaptive.end                  0 states
    src.track                    0s

    LIMITS:
    states    hard limit  10000
    src-nodes  hard limit  10000
    frags      hard limit  5000

    TABLES:
    –a-r- arc1231ml
    Addresses:  1
    Cleared:    Sat Oct 18 07:45:24 2008
    References:  [ Anchors: 0                  Rules: 1                  ]
    Evaluations: [ NoMatch: 8464              Match: 63                ]
    In/Block:    [ Packets: 0                  Bytes: 0                  ]
    In/Pass:    [ Packets: 0                  Bytes: 0                  ]
    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
    Out/Block:  [ Packets: 0                  Bytes: 0                  ]
    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
    Out/XPass:  [ Packets: 0                  Bytes: 0                  ]
    –a-r- immunity
    Addresses:  1
    Cleared:    Sat Oct 18 07:45:24 2008
    References:  [ Anchors: 0                  Rules: 1                  ]
    Evaluations: [ NoMatch: 19456              Match: 0                  ]
    In/Block:    [ Packets: 0                  Bytes: 0                  ]
    In/Pass:    [ Packets: 0                  Bytes: 0                  ]
    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
    Out/Block:  [ Packets: 0                  Bytes: 0                  ]
    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
    Out/XPass:  [ Packets: 0                  Bytes: 0                  ]
    –a-r- ipmi
    Addresses:  1
    Cleared:    Sat Oct 18 07:45:24 2008
    References:  [ Anchors: 0                  Rules: 1                  ]
    Evaluations: [ NoMatch: 9007              Match: 14                ]
    In/Block:    [ Packets: 0                  Bytes: 0                  ]
    In/Pass:    [ Packets: 22                Bytes: 972                ]
    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
    Out/Block:  [ Packets: 0                  Bytes: 0                  ]
    Out/Pass:    [ Packets: 14                Bytes: 560                ]
    Out/XPass:  [ Packets: 0                  Bytes: 0                  ]
    -pa-r- snort2c
    Addresses:  0
    Cleared:    Sat Oct 18 07:45:24 2008
    References:  [ Anchors: 0                  Rules: 2                  ]
    Evaluations: [ NoMatch: 2730188            Match: 0                  ]
    In/Block:    [ Packets: 0                  Bytes: 0                  ]
    In/Pass:    [ Packets: 0                  Bytes: 0                  ]
    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
    Out/Block:  [ Packets: 0                  Bytes: 0                  ]
    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
    Out/XPass:  [ Packets: 0                  Bytes: 0                  ]
    -pa-r- sshlockout
    Addresses:  0
    Cleared:    Sat Oct 18 07:45:24 2008
    References:  [ Anchors: 0                  Rules: 1                  ]
    Evaluations: [ NoMatch: 9241              Match: 0                  ]
    In/Block:    [ Packets: 0                  Bytes: 0                  ]
    In/Pass:    [ Packets: 0                  Bytes: 0                  ]
    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
    Out/Block:  [ Packets: 0                  Bytes: 0                  ]
    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
    Out/XPass:  [ Packets: 0                  Bytes: 0                  ]
    –a-r- sw0
    Addresses:  1
    Cleared:    Sat Oct 18 07:45:24 2008
    References:  [ Anchors: 0                  Rules: 1                  ]
    Evaluations: [ NoMatch: 8527              Match: 0                  ]
    In/Block:    [ Packets: 0                  Bytes: 0                  ]
    In/Pass:    [ Packets: 0                  Bytes: 0                  ]
    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
    Out/Block:  [ Packets: 0                  Bytes: 0                  ]
    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
    Out/XPass:  [ Packets: 0                  Bytes: 0                  ]
    –a-r- unity
    Addresses:  1
    Cleared:    Sat Oct 18 07:45:24 2008
    References:  [ Anchors: 0                  Rules: 2                  ]
    Evaluations: [ NoMatch: 8527              Match: 480                ]
    In/Block:    [ Packets: 0                  Bytes: 0                  ]
    In/Pass:    [ Packets: 126122            Bytes: 8834575            ]
    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
    Out/Block:  [ Packets: 0                  Bytes: 0                  ]
    Out/Pass:    [ Packets: 93742              Bytes: 27705305          ]
    Out/XPass:  [ Packets: 0                  Bytes: 0                  ]
    –a-r- virusprot
    Addresses:  0
    Cleared:    Thu Jan  1 00:00:00 1970
    References:  [ Anchors: 0                  Rules: 5                  ]
    Evaluations: [ NoMatch: 19468              Match: 0                  ]
    In/Block:    [ Packets: 0                  Bytes: 0                  ]
    In/Pass:    [ Packets: 0                  Bytes: 0                  ]
    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
    Out/Block:  [ Packets: 0                  Bytes: 0                  ]
    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
    Out/XPass:  [ Packets: 0                  Bytes: 0                  ]
    –a-r- vpns
    Addresses:  0
    Cleared:    Sat Oct 18 07:45:24 2008
    References:  [ Anchors: 0                  Rules: 1                  ]
    Evaluations: [ NoMatch: 12                Match: 0                  ]
    In/Block:    [ Packets: 0                  Bytes: 0                  ]
    In/Pass:    [ Packets: 0                  Bytes: 0                  ]
    In/XPass:    [ Packets: 0                  Bytes: 0                  ]
    Out/Block:  [ Packets: 0                  Bytes: 0                  ]
    Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
    Out/XPass:  [ Packets: 0                  Bytes: 0                  ]

    OS FINGERPRINTS:
    348 fingerprints loaded</virusprot></arc1231ml:1></virusprot></sw0:1></virusprot></unity:1></virusprot></ipmi:1></virusprot></virusprot></immunity:1></sshlockout:0></virusprot:0></snort2c:0></snort2c:0></vpns:0>



  • are you even passing traffic on this thing most of your rule counters are 0?!
    Are you doing an assymetric routing somehow?
    Do you by any chance have any proxy arp on the sis1(WAN?) interface?



  • The box is merely guarding some admin ports, so it is very lightly loaded, despite I tried to reset the counters, to get rid of any error counters that happened in the past.

    In the setup intended it does Proxy ARP for some IPs, it does even "loadBalance", but merely to proxy the request. But I also remove the whole ProxyARP and LB Stuff and it still happened….

    This are the counters after zeroing the counters, connecting, waiting in vain for some web content to show up, in hope, that something would show up in the output.


Log in to reply