Re: IPFilter Questions
From: Dean E. Weimer (dweimer@Happydays.DynDNS.Org)
Date: 03/01/02
- Next message: Dean E. Weimer: "Re: IPFilter Questions"
- Previous message: Eric Anderson: "Re: IPFilter Questions"
- In reply to: Eric Anderson: "Re: IPFilter Questions"
- Next in thread: Dean E. Weimer: "Re: IPFilter Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 1 Mar 2002 13:40:42 -0600 (CST) From: "Dean E. Weimer" <dweimer@Happydays.DynDNS.Org> To: Eric Anderson <anderson@centtech.com>
OPening Port 20 works, however, is there some error here, why wouldn't
ipmon report a block from 207.46.106.150,20 instead of 207.46.106.150,80.
I knew perfectly well that ftp didn't work with my config, I hadn't got to
that one yet.
I did try other sites too, Microsoft was just the first one I tried, and
the only one that I noted the exact log messages from, I was using IE6.0,
and then tried lynx locally on the firewall to verify that it wasn't some
internally routing issue. I am remotely connected now, so lynx is all I
can test at the moment, but that works with port 20 open.
On Fri, 1 Mar 2002, Eric Anderson wrote:
> I'm assuming nothing. I would try an ftp, and an http download from NON-MS
> sites.. I've had troubles in the past with them if I don't use IE5.x or
> "better"..
>
> Eric
>
>
> "Dean E. Weimer" wrote:
> >
> > I would be assuming that it is http since the port that is in the output
> > from ipmon is 80, however if it were trying passive ftp this would cause
> > the problem.
> >
> > On Fri, 1 Mar 2002, Eric Anderson wrote:
> >
> > > Is it using FTP or HTTP to do the transfer?
> > >
> > > Eric
> > >
> > >
> > > "Dean E. Weimer" wrote:
> > > >
> > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things
> > > > working one thing that isn't is http downloads, I can browse the web just
> > > > fine, and even right click on an image and do a save image as, however if I
> > > > go to Microsoft's download page and try to download something, I receive the
> > > > first packet, and everything else gets blocked. Here are the relevant rules
> > > > from my ipf.rules file.
> > > >
> > > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state
> > > > keep frags
> > > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80
> > > > keep state
> > > > pass out quick on tun0 proto tcp from any to any port = 80 keep state
> > > >
> > > > block return-rst in log quick on tun0 proto tcp from any to any keep state
> > > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any
> > > > to any keep state
> > > > block in log on tun0 all
> > > > block out log on tun0 all
> > > >
> > > > The first Rule seems to work fine allowing me to browse the web pages on my
> > > > system just fine, it keeps the state open and allows port 80 out after it
> > > > receives the connection. The second rule works fine forcing my windows
> > > > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4
> > > > running on firewall server), which the third rule then allows to go out, and
> > > > keeps the state open to allow text and images back in. Now what doesn't
> > > > happen, is downloads, if I click a link to download a file, I get the first
> > > > packet, and then it hangs. Looking at the logs gives me this:
> > > >
> > > > First from ipmon:
> > > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20
> > > > 1492 -A K-S IN
> > > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len
> > > > 20 1492 -A K-S IN
> > > >
> > > > Then with ipfstat -t:
> > > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927
> > > > 0:15
> > > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700
> > > > 1:59:31
> > > >
> > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the
> > > > IP address of Microsoft's Server.
> > > >
> > > > The questions??
> > > > What I want to know is why the download is being blocked, and not being
> > > > passed in because of the state that should have been saved from the outbound
> > > > connection? Did I just miss something simple??
> > > > Also is this the correct way to handle dynamic IP's? I have an "ipf -y"
> > > > command in my link.up and link.down scripts.
> > > >
> > > > Thanks,
> > > > Dean E. Weimer
> > > >
> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > > with "unsubscribe freebsd-security" in the body of the message
> > >
> > > --
> > > ------------------------------------------------------------------
> > > Eric Anderson Systems Administrator Centaur Technology
> > > If at first you don't succeed, sky diving is probably not for you.
> > > ------------------------------------------------------------------
> > >
>
> --
> ------------------------------------------------------------------
> Eric Anderson Systems Administrator Centaur Technology
> If at first you don't succeed, sky diving is probably not for you.
> ------------------------------------------------------------------
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Dean E. Weimer: "Re: IPFilter Questions"
- Previous message: Eric Anderson: "Re: IPFilter Questions"
- In reply to: Eric Anderson: "Re: IPFilter Questions"
- Next in thread: Dean E. Weimer: "Re: IPFilter Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
