Hi
I'm setting up a firewall based on Shorewall 2.2 from Debian stable
(sarge). It seems to work just fine, but I have a weird thing
happening when using ping and other ICMP traffic.
The box is a 2.8 GHz with 1 GB of memory. It has 3 gigabit ethernet
adapters, and I'm not loading it with a lot of traffic at this point.
When shutting down Shorewall I have a ping latency at around 0.1 ms
from my local network to the firewall, but as soon as I enable
Shorewall the latency goes up to about 25-30 ms.
However, if I traceroute through the firewall to some other host on
the internet it replies quickly in less than 0.2 ms. To illustrate:
$ ping -c 10 -q 10.0.0.8
PING 10.0.0.8 (10.0.0.8): 56 data bytes
--- 10.0.0.8 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 26.5/34.7/100.0 ms
$ traceroute -I
www.webpartner.dk
traceroute to
www.webpartner.dk (195.184.96.72), 30 hops max, 40 byte packets
1 10.0.0.8 (10.0.0.8) 0.221 ms 0.186 ms 0.238 ms
2 213.173.237.225 (213.173.237.225) 16.764 ms 14.519 ms 14.098 ms
3 213.173.240.90 (213.173.240.90) 20.972 ms 24.657 ms 19.967 ms
4 213.173.240.89 (213.173.240.89) 22.925 ms 34.553 ms 22.194 ms
5 195.184.96.72 (195.184.96.72) 24.843 ms 9.660 ms 10.103 ms
213.173.237.225 is my router to the internet, it's not the world's
fastest router, but still faster than what what the above traceroute
shows. If I ping it through another firewall I get:
$ ping -c 10 -q 213.173.237.225
PING 213.173.237.225 (213.173.237.225) 56(84) bytes of data.
--- 213.173.237.225 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9012ms
rtt min/avg/max/mdev = 1.300/1.832/4.290/0.903 ms
I see the same pattern even if I cut the rules down to only permitting
ping. Does anyone have a clue as to what's happening? I'm using a
newly compiled 2.6.14 kernel, but saw the same behavior with an older
2.6.8-2 kernel.
--
Jacob
Similar Threads
Linear Mode
