port-i386: 30-60 sec SMPT delay with ipf.conf configuration.

Subject: 30-60 sec SMPT delay with ipf.conf configuration.
To: None <port-i386@netbsd.org>
From: Alicia da Conceicao <alicia@cyberstation.ca>
List: port-i386
Date: 01/07/2000 16:18:49

Greetings:

Another chapter in this continuing IPF saga.  My current /etc/ipf.conf,
which is attached at the end of this e-mail, works great.  It provides
protection against bad packets, and connections to my gateways/firewall
are restricted to only those ports and protocols I allow.  In addition,
those on the inside (lan) of the gateway, can freely access the Internet
via the gateway, without any restrictions.

However, with this IPF configuration, there is an extra 30-60 sec delay
when establishing an SMPT client connection, from inside the firewall,
to an outside sendmail server on a NetBSD 1.4.1 machine.  This delay does
not apply to other type of tcp/udp connections, including ftp (passive)
and pop connections.  This delay only appears with SMPT, and this delay
goes away when I remove the last section of rulesets from my ipf.conf
configuration.

Any ideas on what is causing the delay, and how this can be fixed?  As
mentioned before, the gateway/firewall computer contains two ethernet
cards.  The internal card (fxp0) connects to the internal non-routable
(192.168.0.0/32) lan, and the external card (fxp1) connects to the
Internet with a single IP (ie. 1.2.3.4/32).  The gateway is running
NetBSD 1.4.1 ix86, with IPF, IPNAT, and squid proxies.

Thanks in advance.  Sincerely, Alicia.

PS. Below is my current /etc/ipf.conf configuration:
---------------------------------------------------
block in quick all with frag
block in quick proto tcp all with short
block in quick log all with ipopts

block in quick on fxp1 from any to 192.168.0.0/16
block in quick on fxp1 from any to 127.0.0.0/8
block in quick on fxp1 from 192.168.0.0/16 to any
block in quick on fxp1 from 172.16.0.0/12 to any
block in quick on fxp1 from 10.0.0.0/8 to any
block in quick on fxp1 from 127.0.0.0/8 to any

pass out quick on fxp1 proto tcp/udp from any to any keep state
pass out quick on fxp1 proto icmp    from any to any keep state
pass in  quick on fxp1 proto icmp    from any to any icmp-type 8
pass in  quick on fxp1 proto icmp    from any to any icmp-type 11

block in on fxp1 all head 100
block in proto tcp all flags S/SA head 101 group 100
block in proto udp all head 102 group 100
pass in quick proto tcp from any to any port = 22 keep state group 101
pass in quick proto udp from any to any port = 53 keep state group 102