Re: IPFilter Questions

From: Dean E. Weimer (dweimer@Happydays.DynDNS.Org)
Date: 03/01/02


Date: Fri, 1 Mar 2002 13:40:42 -0600 (CST)
From: "Dean E. Weimer" <dweimer@Happydays.DynDNS.Org>
To: Eric Anderson <anderson@centtech.com>

OPening Port 20 works, however, is there some error here, why wouldn't
ipmon report a block from 207.46.106.150,20 instead of 207.46.106.150,80.
I knew perfectly well that ftp didn't work with my config, I hadn't got to
that one yet.

I did try other sites too, Microsoft was just the first one I tried, and
the only one that I noted the exact log messages from, I was using IE6.0,
and then tried lynx locally on the firewall to verify that it wasn't some
internally routing issue. I am remotely connected now, so lynx is all I
can test at the moment, but that works with port 20 open.

On Fri, 1 Mar 2002, Eric Anderson wrote:

> I'm assuming nothing. I would try an ftp, and an http download from NON-MS
> sites.. I've had troubles in the past with them if I don't use IE5.x or
> "better"..
>
> Eric
>
>
> "Dean E. Weimer" wrote:
> >
> > I would be assuming that it is http since the port that is in the output
> > from ipmon is 80, however if it were trying passive ftp this would cause
> > the problem.
> >
> > On Fri, 1 Mar 2002, Eric Anderson wrote:
> >
> > > Is it using FTP or HTTP to do the transfer?
> > >
> > > Eric
> > >
> > >
> > > "Dean E. Weimer" wrote:
> > > >
> > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things
> > > > working one thing that isn't is http downloads, I can browse the web just
> > > > fine, and even right click on an image and do a save image as, however if I
> > > > go to Microsoft's download page and try to download something, I receive the
> > > > first packet, and everything else gets blocked. Here are the relevant rules
> > > > from my ipf.rules file.
> > > >
> > > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state
> > > > keep frags
> > > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80
> > > > keep state
> > > > pass out quick on tun0 proto tcp from any to any port = 80 keep state
> > > >
> > > > block return-rst in log quick on tun0 proto tcp from any to any keep state
> > > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any
> > > > to any keep state
> > > > block in log on tun0 all
> > > > block out log on tun0 all
> > > >
> > > > The first Rule seems to work fine allowing me to browse the web pages on my
> > > > system just fine, it keeps the state open and allows port 80 out after it
> > > > receives the connection. The second rule works fine forcing my windows
> > > > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4
> > > > running on firewall server), which the third rule then allows to go out, and
> > > > keeps the state open to allow text and images back in. Now what doesn't
> > > > happen, is downloads, if I click a link to download a file, I get the first
> > > > packet, and then it hangs. Looking at the logs gives me this:
> > > >
> > > > First from ipmon:
> > > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20
> > > > 1492 -A K-S IN
> > > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len
> > > > 20 1492 -A K-S IN
> > > >
> > > > Then with ipfstat -t:
> > > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927
> > > > 0:15
> > > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700
> > > > 1:59:31
> > > >
> > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the
> > > > IP address of Microsoft's Server.
> > > >
> > > > The questions??
> > > > What I want to know is why the download is being blocked, and not being
> > > > passed in because of the state that should have been saved from the outbound
> > > > connection? Did I just miss something simple??
> > > > Also is this the correct way to handle dynamic IP's? I have an "ipf -y"
> > > > command in my link.up and link.down scripts.
> > > >
> > > > Thanks,
> > > > Dean E. Weimer
> > > >
> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > > with "unsubscribe freebsd-security" in the body of the message
> > >
> > > --
> > > ------------------------------------------------------------------
> > > Eric Anderson Systems Administrator Centaur Technology
> > > If at first you don't succeed, sky diving is probably not for you.
> > > ------------------------------------------------------------------
> > >
>
> --
> ------------------------------------------------------------------
> Eric Anderson Systems Administrator Centaur Technology
> If at first you don't succeed, sky diving is probably not for you.
> ------------------------------------------------------------------
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: IPFilter Questions
    ... port 20 is for ftp data.. ... I always thought FTP was port 21.. ... >>If at first you don't succeed, sky diving is probably not for you. ...
    (FreeBSD-Security)
  • Re: IPFilter Questions
    ... port 80 on their end means nothing, because you can use any outgoing port ... however if it were trying passive ftp this would cause ... >>> Eric Anderson Systems Administrator Centaur Technology ... >>> If at first you don't succeed, sky diving is probably not for you. ...
    (FreeBSD-Security)
  • RE: Telnet/ftp problems SBS2000
    ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ...
    (microsoft.public.windows.server.sbs)
  • SMART FTP
    ... Ftp Client To Smart How ... Active Mode Ftp Port Limit Smart ... Pro Keygen Ftp Smart Client ...
    (sci.anthropology)
  • FTP transfer port
    ... FTP transfer port ... the FTP server "listens" for client connections on its port 21. ... it will establish a separate control connection and data connection with ...
    (bit.listserv.ibm-main)