From owner-freebsd-questions Wed Jun 19 19:58:38 2002 Delivered-To: freebsd-questions@freebsd.org Received: from valis.olywa.net (valis.olywa.net [216.173.192.2]) by hub.freebsd.org (Postfix) with ESMTP id 0B8D937B409 for ; Wed, 19 Jun 2002 19:58:32 -0700 (PDT) Received: from intrepid.snowpoint.com ([216.173.213.173]) by valis.olywa.net (Post.Office MTA v3.5.3 release 223 ID# 0-56662U5000L500S0V35) with ESMTP id net for ; Wed, 19 Jun 2002 19:58:32 -0700 Received: from ([216.173.213.172]) by intrepid.snowpoint.com (Merak 4.10.020) with SMTP id HUB36795; Wed, 19 Jun 2002 19:53:53 -0700 From: "Corey Snow" To: "Corey Snow" , Date: Wed, 19 Jun 2002 19:58:34 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: RE: ipfw dropping legit packets? Cc: "FBSDQ" Message-ID: <3D10E26A.23241.2486199@localhost> In-reply-to: References: <3D10C128.8915.1C677A9@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 19 Jun 2002, at 22:02, Joe & Fhe Barbish wrote: Hi Joe- > I have the same thing. > You will be surprised when you see what is happening. > Do this test, take the ip address you see in the log messages and use > it in your browser as the URL. > I think you will find out that what is being denied is the auto spawn > web pages that are hidden in the original viewed URL. > You are using exclusively advanced stateful keep-state ipfw rules and > an undocumented benefit is the blocking of auto spawn URL's. > This is a good think. > If you do not want to see them in your log then add a rule just before your > last rule like this > > add deny tcp from any to any 80 out via ed0 > I don't see how this could be the case, unless I'm completely misunderstanding things. The remote address has a socket of 80 and the local address is mine, meaning that the ipfw rules should allow it, even if it is to advertisement-type sites or popup ads. If it's a new connection caused by Javascript in the web page, that should still be allowed- after all, the firewall can't tell if it's a link I clicked or an automatically generated request. Shouldn't my other firewall rules allow the web browser to initiate connections to web servers? Also, the IP addresses in question, some of which I checked via nslookup, were the legitimate IPs of the domains I was visiting. Any further insight or info on what you think might be happening is appreciated. Regards, Corey Snow To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message