From owner-freebsd-questions Sun Jun 16 8:26:35 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smtp.a1poweruser.com (oh-chardon6a-62.clvhoh.adelphia.net [68.65.175.62]) by hub.freebsd.org (Postfix) with ESMTP id 95DFB37B407 for ; Sun, 16 Jun 2002 08:26:31 -0700 (PDT) Received: from barbish (unknown [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id 6034010E for ; Sun, 16 Jun 2002 11:29:26 -0400 (EDT) Reply-To: From: "Joe & Fhe Barbish" To: "FBSDQ" Subject: IPFW blocking auto-spawned web pages Date: Sun, 16 Jun 2002 11:26:29 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I exclusively use Advanced stateful IPFW rules check-state - keep-state rules. I just converted from using an modem dial up ISP with user ppp -nat to cable modem with ipfw internal divert natd statement added to my ipfw rule file. Some thing strange but good has started to happen. The last rule in my rules file is an deny log all from any to any so I can see all the packets that fall through my rules file without a match. Since I changed my ipfw rules file by just adding the single divert natd statement my last rule to log every thing that has not matched any rules has starting logging a lot of outbound port 80 packets. This has bothered me as I though my system was compromised. I went so far as to reinstall version 4.5 from scratch again and reinstall a clean WINME system on one of the LAN machine I was using for testing just to ensure I did not have any spy ware or Trojans, or backdoor virus on my system. Nothing helped, these packets just keep showing up in the ipfw log. The target ip address does not repeat in most cases from day to day. In frustration I tried putting the target ip address from these denied outbound packets directly in the http URL of my browser and bingo I pulled up a web page. To my great surprise every one of those denied packets stopped by my Advanced stateful IPFW firewall turns out to be an auto-spawned web page that was buried in the original web page I was looking at. The ipfw man info does not document this behavior. The blocking of those annoying auto-spawned web pages by the ipfw firewall is a very desirable ability and seems to be a side effect of exclusively using Advanced stateful IPFW check-state - keep-state rules. Has anybody else out there seen this behavior? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message