2

I have an Apache web server running on a FreeBSD 8.3 machine.
That machine has an ipfw firewall with these rules:

root@aigamedev:~# ipfw -a list
00005    0       0 deny ip from 67.212.xxx.xxx to any
00010  206   88422 allow ip from any to any via lo0
00015    0       0 deny ip from any to 127.0.0.0/8
00020    0       0 deny ip from 127.0.0.0/8 to any
00050    0       0 check-state
00060 5315 1358507 allow tcp from any to any established
00061    8     658 allow ip from any to any out keep-state
00070    0       0 allow icmp from any to any
00080    0       0 deny ip from me to me in recv re0
00085    0       0 deny tcp from any to any frag
00098    0       0 allow tcp from me to 83.64.xxx.xxx out established keep-state
00099    0       0 allow tcp from 83.64.xxx.xxx to me dst-port 22 in setup keep-state
00100    0       0 allow tcp from any to any dst-port 22 in setup keep-state
00110    0       0 allow tcp from any to any dst-port 22 out setup keep-state
00160    0       0 allow tcp from any to any dst-port 25 out setup keep-state
00180    0       0 allow tcp from any to any dst-port 53 out setup keep-state
00185    0       0 allow udp from any to any dst-port 53 out keep-state
00200 6750  661150 allow tcp from any to any dst-port 80,443 in setup keep-state
00210    0       0 allow tcp from any to any dst-port 80,443 out setup keep-state
00250    0       0 allow udp from any to any dst-port 123 out keep-state
00280    0       0 allow udp from any to any dst-port 67-68 out keep-state
00300    0       0 allow tcp from any to any dst-port 5222,5223,5269 in setup keep-state
00305    0       0 allow tcp from any to any dst-port 5222,5223,5269 out setup keep-state
00999   25    1716 deny ip from any to any
65535    0       0 deny ip from any to any

As soon as I enable these firewall rules the Apache server on the same machine "slows down", i.e. many connections hang, pages take seconds to load instead of ms. This can be tested from different source networks and clients. In server-status I can see many (most) of the Apache slots in reading state and doing nothing.

When I then stop the firewall the Apache server immediatelly comes back to normal performance again.

Any ideas what could be wrong with these firewall rules?

Matthias
  • 282
  • 3
  • 16
  • What are the IPFW stats? (Specifically, what rules are being evaluated and/or hit most frequently?) I see some extra work / duplication of effort but nothing that says "this should choke a server". I'll know more if I can see which rules are spiking. – voretaq7 Nov 22 '13 at 02:50
  • lots of dup rules – nandoP Nov 22 '13 at 04:15
  • @voretaq7: I have updated the rules listing to show the stats. Is this what you wanted to see? – Matthias Nov 22 '13 at 09:03

2 Answers2

1

are you allowing tcp/80 "new" connections? what port is apache listening on, and where should connections be accepted from?

these rules shouldnt be causing any slowdown:

00200 allow tcp from any to any dst-port 80,443 in setup keep-state
00210 allow tcp from any to any dst-port 80,443 out setup keep-stat

perhaps these ports are taxing on the scripts/dameons/applicaitions listening on these ports, and are slowing down the box.

00300 allow tcp from any to any dst-port 5222,5223,5269 in setup keep-state
00305 allow tcp from any to any dst-port 5222,5223,5269 out setup keep-state

my advise: have one physical/virtual machine per service..... run ntop to see how much traffic you are actually pushing

voretaq7
  • 79,345
  • 17
  • 128
  • 213
nandoP
  • 2,001
  • 14
  • 15
  • I have updated the OP to show the stats per rule. Yes I do think I accept "new" connections on 80, isn't that exactly those first 2 lines you have quoted in your message? The other two rules should be fine, there is no service running on these ports at the moment. Also, the problem is not the load or I/O on the server, that is all fine. It is just those "hanging" connections in Apache when the firewall is active. – Matthias Nov 22 '13 at 09:07
1

It sounds like Apache has a dependency on other services which the firewall is blocking. Without knowing what applications you're running, it's difficult to give more exact info, but you're blocking access to everything on localhost which seems wrong.

Start by commenting out all of the deny lines and make sure that it works at the same speed. Then slowly start re-adding the deny lines, starting from the end. Even though these rules claim to not be being triggered, this is not always as reliable as it could be.

Quetza
  • 311
  • 1
  • 8
  • This sounds like a great idea. So I have updated the FW script and commented out every single `deny` rule. Then I have restarted the FW via `/etc/rc.d/ipfw start` again. And now it comes: again the strange behaviour of Apache! Even though no single `deny` line is active any more, as soon as the FW is started Apache freaks out. I am really out of ideas here :( – Matthias Dec 17 '13 at 15:46