From owner-freebsd-security Fri Mar 1 10:57:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from FreeBSD.Happydays.DynDNS.Org (adsl-65-66-152-44.dsl.kscymo.swbell.net [65.66.152.44]) by hub.freebsd.org (Postfix) with ESMTP id 3071737B41A for ; Fri, 1 Mar 2002 10:57:43 -0800 (PST) Received: from localhost (dweimer@localhost) by FreeBSD.Happydays.DynDNS.Org (8.11.6/8.11.6) with ESMTP id g21IvcA04795; Fri, 1 Mar 2002 12:57:38 -0600 (CST) (envelope-from dweimer@Happydays.DynDNS.Org) Date: Fri, 1 Mar 2002 12:57:38 -0600 (CST) From: "Dean E. Weimer" To: Eric Anderson Cc: dweimer@swbell.net, "Freebsd-Security (E-mail)" Subject: Re: IPFilter Questions In-Reply-To: <3C7FCDB6.FD151D09@centtech.com> Message-ID: <20020301125603.J4731-100000@FreeBSD.Happydays.DynDNS.Org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would be assuming that it is http since the port that is in the output from ipmon is 80, however if it were trying passive ftp this would cause the problem. On Fri, 1 Mar 2002, Eric Anderson wrote: > Is it using FTP or HTTP to do the transfer? > > Eric > > > "Dean E. Weimer" wrote: > > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things > > working one thing that isn't is http downloads, I can browse the web just > > fine, and even right click on an image and do a save image as, however if I > > go to Microsoft's download page and try to download something, I receive the > > first packet, and everything else gets blocked. Here are the relevant rules > > from my ipf.rules file. > > > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state > > keep frags > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 > > keep state > > pass out quick on tun0 proto tcp from any to any port = 80 keep state > > > > block return-rst in log quick on tun0 proto tcp from any to any keep state > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any > > to any keep state > > block in log on tun0 all > > block out log on tun0 all > > > > The first Rule seems to work fine allowing me to browse the web pages on my > > system just fine, it keeps the state open and allows port 80 out after it > > receives the connection. The second rule works fine forcing my windows > > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 > > running on firewall server), which the third rule then allows to go out, and > > keeps the state open to allow text and images back in. Now what doesn't > > happen, is downloads, if I click a link to download a file, I get the first > > packet, and then it hangs. Looking at the logs gives me this: > > > > First from ipmon: > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 > > 1492 -A K-S IN > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len > > 20 1492 -A K-S IN > > > > Then with ipfstat -t: > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 > > 0:15 > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 > > 1:59:31 > > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the > > IP address of Microsoft's Server. > > > > The questions?? > > What I want to know is why the download is being blocked, and not being > > passed in because of the state that should have been saved from the outbound > > connection? Did I just miss something simple?? > > Also is this the correct way to handle dynamic IP's? I have an "ipf -y" > > command in my link.up and link.down scripts. > > > > Thanks, > > Dean E. Weimer > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > ------------------------------------------------------------------ > Eric Anderson Systems Administrator Centaur Technology > If at first you don't succeed, sky diving is probably not for you. > ------------------------------------------------------------------ > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message