Date: Fri, 01 Mar 2002 13:03:09 -0600 From: Eric Anderson <anderson@centtech.com> To: "Dean E. Weimer" <dweimer@happydays.dyndns.org> Cc: dweimer@swbell.net, "Freebsd-Security (E-mail)" <freebsd-security@freebsd.org> Subject: Re: IPFilter Questions Message-ID: <3C7FD06D.A449F035@centtech.com> References: <20020301125603.J4731-100000@FreeBSD.Happydays.DynDNS.Org>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm assuming nothing. I would try an ftp, and an http download from NON-MS sites.. I've had troubles in the past with them if I don't use IE5.x or "better".. Eric "Dean E. Weimer" wrote: > > I would be assuming that it is http since the port that is in the output > from ipmon is 80, however if it were trying passive ftp this would cause > the problem. > > On Fri, 1 Mar 2002, Eric Anderson wrote: > > > Is it using FTP or HTTP to do the transfer? > > > > Eric > > > > > > "Dean E. Weimer" wrote: > > > > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things > > > working one thing that isn't is http downloads, I can browse the web just > > > fine, and even right click on an image and do a save image as, however if I > > > go to Microsoft's download page and try to download something, I receive the > > > first packet, and everything else gets blocked. Here are the relevant rules > > > from my ipf.rules file. > > > > > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state > > > keep frags > > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 > > > keep state > > > pass out quick on tun0 proto tcp from any to any port = 80 keep state > > > > > > block return-rst in log quick on tun0 proto tcp from any to any keep state > > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any > > > to any keep state > > > block in log on tun0 all > > > block out log on tun0 all > > > > > > The first Rule seems to work fine allowing me to browse the web pages on my > > > system just fine, it keeps the state open and allows port 80 out after it > > > receives the connection. The second rule works fine forcing my windows > > > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 > > > running on firewall server), which the third rule then allows to go out, and > > > keeps the state open to allow text and images back in. Now what doesn't > > > happen, is downloads, if I click a link to download a file, I get the first > > > packet, and then it hangs. Looking at the logs gives me this: > > > > > > First from ipmon: > > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 > > > 1492 -A K-S IN > > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len > > > 20 1492 -A K-S IN > > > > > > Then with ipfstat -t: > > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 > > > 0:15 > > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 > > > 1:59:31 > > > > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the > > > IP address of Microsoft's Server. > > > > > > The questions?? > > > What I want to know is why the download is being blocked, and not being > > > passed in because of the state that should have been saved from the outbound > > > connection? Did I just miss something simple?? > > > Also is this the correct way to handle dynamic IP's? I have an "ipf -y" > > > command in my link.up and link.down scripts. > > > > > > Thanks, > > > Dean E. Weimer > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > ------------------------------------------------------------------ > > Eric Anderson Systems Administrator Centaur Technology > > If at first you don't succeed, sky diving is probably not for you. > > ------------------------------------------------------------------ > > -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C7FD06D.A449F035>