#17 unresponsive webgui t1n1wall build10

I tested your t1n1wall build based on FreeBSD 10.2. The webgui is extremely slow and can become competely unresponsive. I narrowed down the problem to the filter.inc file after adding the following 2 rules:

pass in quick all
pass out quick all

Obvsiously the above rules were only for testing purposes but adding those rules made a huge difference. The webui became very responsive. I'm going to post the relevent information from the status.php output to see if you can spot something. Hopefully you will. And a big thanks for continuing working on the t1n1wall fork of m0n0wall.

> ipfstat -nio
> @1 pass out quick on lo0 inet from any to any
> @2 pass out quick on em1 inet proto udp from 192.168.1.1/32 port = bootps to any port = bootpc
> @3 pass out quick on em0 inet proto udp from any port = bootpc to any port = bootps
> @4 pass out quick on em1 inet from any to any keep state
> @5 pass out quick on em0 inet from any to any keep state
> @6 pass out quick all
> @1 pass in quick on lo0 inet from any to any
> @2 block in log quick inet from any to any with short
> @3 block in log quick inet from any to any with ipopts
> @4 pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255/32 port = bootps
> @5 pass in quick on em1 inet proto udp from any port = bootpc to 192.168.1.1/32 port = bootps
> @6 block in log quick on em0 inet from 192.168.1.0/24 to any
> @7 block in log quick on em0 inet proto udp from any port = bootps to 192.168.1.0/24 port = bootpc
> @8 pass in quick on em0 inet proto udp from any port = bootps to any port = bootpc
> @9 block in log quick on em1 inet from !192.168.1.0/24 to any
> @10 block in log quick on em0 inet from 10.0.0.0/8 to any
> @11 block in log quick on em0 inet from 127.0.0.0/8 to any
> @12 block in log quick on em0 inet from 172.16.0.0/12 to any
> @13 block in log quick on em0 inet from 192.168.0.0/16 to any
> @14 skip 1 in inet proto tcp from any to any flags S/FSRA
> @15 block in log quick inet proto tcp from any to any
> @16 block in log quick on em1 inet from any to any head 100
> @17 block in log quick on em0 inet from any to any head 200
> @18 pass in quick all
> @19 pass in quick inet from 192.168.1.0/24 to 192.168.1.1/32 keep state group 100
> @20 pass in quick inet from 192.168.1.0/24 to any keep state group 100

unparsed ipnat rules
map em0 192.168.1.0/24  -> 0/32 proxy port 21 ftp/tcp
map em0 192.168.1.0/24  -> 0/32 portmap tcp/udp 1024:64535
map em0 192.168.1.0/24  -> 0/32
map em0 from 72.208.136.241/32 to any port = 53 -> 0.0.0.0/32 tcp/udp

unparsed ipfilter rules
# loopback
pass in quick on lo0 family inet from any to any 
pass out quick on lo0 family inet from any to any 
# block short packets
block in log quick family inet from any to any with short

# block IP options
block in log quick family inet from any to any with ipopts

# allow access to DHCP server on LAN
pass in quick on em1 family inet proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on em1 family inet proto udp from any port = 68 to 192.168.1.1 port = 67
pass out quick on em1 family inet proto udp from 192.168.1.1 port = 67 to any port = 68

# WAN spoof check
block in log quick on em0 family inet from 192.168.1.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on em0 family inet proto udp from any port = 68 to any port = 67
block in log quick on em0 family inet proto udp from any port = 67 to 192.168.1.0/24 port = 68
pass in quick on em0 family inet proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
block in log quick on em1 family inet  from ! 192.168.1.0/24 to any

# block anything from private networks on WAN interface
block in log quick on em0 family inet from 10.0.0.0/8 to any
block in log quick on em0 family inet from 127.0.0.0/8 to any
block in log quick on em0 family inet from 172.16.0.0/12 to any
block in log quick on em0 family inet from 192.168.0.0/16 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in family inet proto tcp from any to any flags S/SAFR
block in log quick family inet proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on em1 family inet from any to any head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on em1 family inet from any to any keep state 

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on em0 family inet from any to any head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on em0 family inet from any to any keep state 

# make sure the user cannot lock himself out of the webGUI
pass in quick family inet from 192.168.1.0/24 to 192.168.1.1 keep state group 100

# User-defined rules follow
pass in quick family inet from 192.168.1.0/24 to any keep state group 100 

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
#block in log quick family inet from any to any
#block out log quick family inet from any to any
pass in quick all
pass out quick all

unparsed ipfw rules
add 50000 set 4 pass all from 192.168.1.1 to any
add 50001 set 4 pass all from any to 192.168.1.1

[Anonymous]

Did a little more testing but still unable to completely isolate the issue. Strange that it worked before although a leap from IPFILTER 4 to IPFILTER 5 did change the syntax. There really seems to be a lack of documentation for IPFITLER. Pretty sad, maybe one day you can transition to pf. Anyways like I said I did a little more testing. Added only the following to your filter.inc:

pass out quick all

So the issue seems to be that something is being blocked out to the webserver. Since the webserver is reachable but very unresposive I find this to be strange. I'll look into this issue futher.

[Anonymous]

So a little more experimenting with filter.inc. Any of the following rules work and the webgui becomes responsive:

pass out quick all
pass out quick on $lanif family $inetfamily all
pass out quick on $lanif family $inetfamily from any to any
pass out quick on $lanif family $inetfamily from any to any keep state

I placed any one of the above rules below the following rule:

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in $log quick family $inetfamily from any to any

Am I the only one who is experiencing this issue with the freebsd10 build?

[Anonymous]

I''ve settled on the following rule until the rules issue gets sorted out:

pass out quick on $lanif family $inetfamily proto tcp from any to any

Unfortunately I had to remove the block out rule under the "just to be sure" rules.

[Andy White]

As per forum thread, this is a bug with ipfilter and TSO (lots of TSO was updated in freebsd 10, and ipfilter isn't seeing the segmentation properly). I will set TSO to default off per NIC, and allow user enablement per NIC

[Andy White]

TSO is now configurable on the advanced page, under setup. This is a global setting and defaults to turning it off.