From owner-freebsd-security Fri Mar 1 13:17:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id E05D437B41D for ; Fri, 1 Mar 2002 13:17:10 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g21LH9K11534; Fri, 1 Mar 2002 15:17:09 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id PAA06504; Fri, 1 Mar 2002 15:17:09 -0600 (CST) Message-ID: <3C7FEFD0.36A532EC@centtech.com> Date: Fri, 01 Mar 2002 15:17:04 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: pfak@telus.net Cc: dweimer@swbell.net, freebsd-security@freebsd.org Subject: Re: IPFilter Questions References: <3c7fef42.5465.0@telus.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Look in /etc/services: ftp-data 20/tcp #File Transfer [Default Data] ftp-data 20/udp #File Transfer [Default Data] ftp 21/tcp #File Transfer [Control] ftp 21/udp #File Transfer [Control] port 20 is for ftp data.. Eric Peter Kieser wrote: > > Hmm. I always thought FTP was port 21.. Someone prove me wrong here. Also, why > are you blocking port 80 going out? And the flags you're using may have something > to do with it. > > --Peter > > >Port 20 is the ftp-data port, so opening that allowed the ftp-data to come > back > >thru, so it sounds like it was an ftp transfer. Ftp is a strange and old > beast, > >so don't try to make perfect sense of it.. I'm not the expert on this list, > > >thats for sure, so you may want to wait until someone describes the "real" > > >cause. :D > > > >Eric > > > > > > > >"Dean E. Weimer" wrote: > >> > >> OK, I reallize that I made a mistake in my last reply, I understand that > > >> port 80 on their end means nothing, because you can use any outgoing port > > >> you want such as 2124 that my proxy used in this example, but the inbound > > >> port that ipmon reported blocked was the same as my outbound port that I > > >> initiated the download with. If opening port 20 allows the data in, why > > >> wasn't the connection reported blocked on port 20 instead of 2124 that > >> this example used. > >> > >> On Fri, 1 Mar 2002, Eric Anderson wrote: > >> > >> > I'm assuming nothing. I would try an ftp, and an http download from NON-MS > > >> > sites.. I've had troubles in the past with them if I don't use IE5.x or > > >> > "better".. > >> > > >> > Eric > >> > > >> > > >> > "Dean E. Weimer" wrote: > >> > > > >> > > I would be assuming that it is http since the port that is in the output > > >> > > from ipmon is 80, however if it were trying passive ftp this would cause > > >> > > the problem. > >> > > > >> > > On Fri, 1 Mar 2002, Eric Anderson wrote: > >> > > > >> > > > Is it using FTP or HTTP to do the transfer? > >> > > > > >> > > > Eric > >> > > > > >> > > > > >> > > > "Dean E. Weimer" wrote: > >> > > > > > >> > > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most > things > >> > > > > working one thing that isn't is http downloads, I can browse the > web just > >> > > > > fine, and even right click on an image and do a save image as, however > if I > >> > > > > go to Microsoft's download page and try to download something, I > receive the > >> > > > > first packet, and everything else gets blocked. Here are the relevant > rules > >> > > > > from my ipf.rules file. > >> > > > > > >> > > > > pass in quick on tun0 proto tcp from any to any port = 80 flags > S keep state > >> > > > > keep frags > >> > > > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any > port = 80 > >> > > > > keep state > >> > > > > pass out quick on tun0 proto tcp from any to any port = 80 keep > state > >> > > > > > >> > > > > block return-rst in log quick on tun0 proto tcp from any to any > keep state > >> > > > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp > from any > >> > > > > to any keep state > >> > > > > block in log on tun0 all > >> > > > > block out log on tun0 all > >> > > > > > >> > > > > The first Rule seems to work fine allowing me to browse the web > pages on my > >> > > > > system just fine, it keeps the state open and allows port 80 out > after it > >> > > > > receives the connection. The second rule works fine forcing my windows > > >> > > > > clients to not use NAT and instead use the proxy server, (SQUID > 2.4-STABLE4 > >> > > > > running on firewall server), which the third rule then allows to > go out, and > >> > > > > keeps the state open to allow text and images back in. Now what > doesn't > >> > > > > happen, is downloads, if I click a link to download a file, I get > the first > >> > > > > packet, and then it hangs. Looking at the logs gives me this: > >> > > > > > >> > > > > First from ipmon: > >> > > > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR > tcp len 20 > >> > > > > 1492 -A K-S IN > >> > > > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 > PR tcp len > >> > > > > 20 1492 -A K-S IN > >> > > > > > >> > > > > Then with ipfstat -t: > >> > > > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 > 12927 > >> > > > > 0:15 > >> > > > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 > 1700 > >> > > > > 1:59:31 > >> > > > > > >> > > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 > is the > >> > > > > IP address of Microsoft's Server. > >> > > > > > >> > > > > The questions?? > >> > > > > What I want to know is why the download is being blocked, and not > being > >> > > > > passed in because of the state that should have been saved from > the outbound > >> > > > > connection? Did I just miss something simple?? > >> > > > > Also is this the correct way to handle dynamic IP's? I have an > "ipf -y" > >> > > > > command in my link.up and link.down scripts. > >> > > > > > >> > > > > Thanks, > >> > > > > Dean E. Weimer > >> > > > > > >> > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > >> > > > > with "unsubscribe freebsd-security" in the body of the message > >> > > > > >> > > > -- > >> > > > ------------------------------------------------------------------ > > >> > > > Eric Anderson Systems Administrator Centaur Technology > >> > > > If at first you don't succeed, sky diving is probably not for you. > > >> > > > ------------------------------------------------------------------ > > >> > > > > >> > > >> > -- > >> > ------------------------------------------------------------------ > >> > Eric Anderson Systems Administrator Centaur Technology > >> > If at first you don't succeed, sky diving is probably not for you. > >> > ------------------------------------------------------------------ > >> > > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org > >> > with "unsubscribe freebsd-security" in the body of the message > >> > > > > >-- > >------------------------------------------------------------------ > >Eric Anderson Systems Administrator Centaur Technology > >If at first you don't succeed, sky diving is probably not for you. > >------------------------------------------------------------------ > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > Internet service provided by telus.net http://www.telus.net/ -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message