# Firewall slows down Apache web server



## haimat (Nov 21, 2013)

I have an Apache web server running on a FreeBSD 8.3 machine. That machine has an ipfw firewall with these rules:

```
00005 deny ip from 67.212.xxx.xxx to any
00010 allow ip from any to any via lo0
00015 deny ip from any to 127.0.0.0/8
00020 deny ip from 127.0.0.0/8 to any
00050 check-state
00060 allow tcp from any to any established
00061 allow ip from any to any out keep-state
00070 allow icmp from any to any
00080 deny ip from me to me in recv re0
00098 allow tcp from me to 83.64.xxx.xxx out established keep-state
00099 allow tcp from 83.64.xxx.xxx to me dst-port 22 in setup keep-state
00100 allow tcp from any to any dst-port 22 in setup keep-state
00110 allow tcp from any to any dst-port 22 out setup keep-state
00160 allow tcp from any to any dst-port 25 out setup keep-state
00180 allow tcp from any to any dst-port 53 out setup keep-state
00185 allow udp from any to any dst-port 53 out keep-state
00200 allow tcp from any to any dst-port 80,443 in setup keep-state
00210 allow tcp from any to any dst-port 80,443 out setup keep-state
00250 allow udp from any to any dst-port 123 out keep-state
00280 allow udp from any to any dst-port 67-68 out keep-state
00300 allow tcp from any to any dst-port 5222,5223,5269 in setup keep-state
00305 allow tcp from any to any dst-port 5222,5223,5269 out setup keep-state
00999 deny ip from any to any
65535 deny ip from any to any
```
As soon as I enable these firewall rules the Apache server "slows down", i.e. many connections hang, pages take seconds to load instead of ms. This can be tested from different sources networks and clients. In /server-status I can see many (most) of the Apache slots in reading state and doing nothing. When I then stop the firewall the Apache server immediately comes back to normal performance again.

Any ideas what could be wrong with these firewall rules?


----------



## dalecosp (Nov 21, 2013)

```
00005 deny ip from 67.212.xxx.xxx to any
```
Is this the netblock the server is in, by any chance?


----------



## haimat (Nov 21, 2013)

No, this is a remote IP that spams us all the time. Also, the Apache server is responding, but only very limited (slowly).


----------

