Solved Squid and IPFW, packets getting stuck in a loop

kumba

Member

Reaction score: 3
Messages: 28

I am noticing an odd issue between squid and my firewall setup on a squid proxy system I put together. Periodically, it seems like the IPFW dynamic rules that get created when squid connects out will expire too early, thus causing inbound packets to hit a deny all established rule that comes after my check-state rule. Has anyone seen anything like this before? It seems like I am missing a sysctl tunable somewhere, or I have something set that ought not be.

Here's what my current ipfw show command looks like:
Code:
# ipfw show
00001    9116   3474092 allow ip from any to any via lo0
00002       0         0 deny ip4 from any to 127.0.0.0/8
00003       0         0 deny ip4 from 127.0.0.0/8 to any
00004       0         0 deny ip6 from any to ::1
00005       0         0 deny ip6 from ::1 to any
00006       0         0 check-state :default
00007 3174079 126963855 deny tcp from any to any established
00008   78062  58346526 allow tcp from any to any out via em0 setup keep-state :default
00009    1768    196561 allow udp from any to any out via em0 keep-state :default
00010       0         0 allow sctp from any to any out via em0 setup keep-state :default
00011     391     32960 allow icmp from any to any out via em0 keep-state :default
00012     276     19200 allow ipv6-icmp from any to any out via em0 keep-state :default
00013       0         0 deny log ip from any to any out via em0
00020       0         0 deny ip from any to any in via em0 frag
00021     289     32762 deny { tcp or udp } from any to any 135-139,445 in via em0
00022       0         0 deny udp from any 27036 to any 27036 in via em0
00023    5834   1347938 deny ip4 from any to 224.0.0.0/4 in via em0
00024       0         0 allow icmp from any to any in via em0 icmptypes 0,3,8,9,10,11,12,13,14 keep-state :default
00025       0         0 allow ipv6-icmp from :: to ff02::/16 in via em0 keep-state :default
00026       0         0 allow ipv6-icmp from fe80::/10 to fe80::/10 in via em0 keep-state :default
00027      24      4032 allow ipv6-icmp from fe80::/10 to ff02::/16 in via em0 keep-state :default
00028     200     13720 allow ipv6-icmp from any to any icmp6types 1,2,3,4,128,129,133,134,135,136,160,161 in via em0 keep-state :default
00030   45944   3746595 allow tcp from table(ssh-allowed) to any 22 in via em0 setup keep-state :default
00031   61417  60593862 allow tcp from table(squid-allowed) to any 3128 in via em0 setup keep-state :default
00032       0         0 deny log ip from any to any in via em0
65533      15      1240 deny log ip from any to any
65535       0         0 deny ip from any to any

In the above set of rules, it's rule #7 that's the indicator of something wrong. When the issue does happen, I can run ipfw show repeatedly and watch the denied packets count climb at a rate of 200-400 per second. If I have firewall_logging="YES" set in /etc/rc.conf, then the HDD activity light blinks very fast or goes solid due to the huge volume of writes to /var/log/security.

What I am not sure about is whether the problem with with squid, if there's something off about my firewall script design, or something tied to how IPFW operates, presumably a sysctl tunable not set right. I highly suspect the problem is the dynamic rules created for squid's outbound connections are getting reaped too quickly, causing something to go weird between squid's idea fo the connection states and IPFW's idea.

FWIW, I am using the RACK TCP stack and H-TCP algorithm for congestion control. I can post my /etc/sysctl.conf file if needed to help debug this. Squid's version is 4.9, and the base OS is 12.1-RELEASE-p1.
 
Top