From owner-freebsd-security Fri Mar 1 12: 9:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from FreeBSD.Happydays.DynDNS.Org (adsl-65-66-152-44.dsl.kscymo.swbell.net [65.66.152.44]) by hub.freebsd.org (Postfix) with ESMTP id 5B46837B405 for ; Fri, 1 Mar 2002 12:09:06 -0800 (PST) Received: from localhost (dweimer@localhost) by FreeBSD.Happydays.DynDNS.Org (8.11.6/8.11.6) with ESMTP id g21K8x405833; Fri, 1 Mar 2002 14:08:59 -0600 (CST) (envelope-from dweimer@Happydays.DynDNS.Org) Date: Fri, 1 Mar 2002 14:08:59 -0600 (CST) From: "Dean E. Weimer" To: Eric Anderson Cc: dweimer@swbell.net, "Freebsd-Security (E-mail)" Subject: Re: IPFilter Questions In-Reply-To: <3C7FD06D.A449F035@centtech.com> Message-ID: <20020301135312.U5593-100000@FreeBSD.Happydays.DynDNS.Org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org OK, I reallize that I made a mistake in my last reply, I understand that port 80 on their end means nothing, because you can use any outgoing port you want such as 2124 that my proxy used in this example, but the inbound port that ipmon reported blocked was the same as my outbound port that I initiated the download with. If opening port 20 allows the data in, why wasn't the connection reported blocked on port 20 instead of 2124 that this example used. On Fri, 1 Mar 2002, Eric Anderson wrote: > I'm assuming nothing. I would try an ftp, and an http download from NON-MS > sites.. I've had troubles in the past with them if I don't use IE5.x or > "better".. > > Eric > > > "Dean E. Weimer" wrote: > > > > I would be assuming that it is http since the port that is in the output > > from ipmon is 80, however if it were trying passive ftp this would cause > > the problem. > > > > On Fri, 1 Mar 2002, Eric Anderson wrote: > > > > > Is it using FTP or HTTP to do the transfer? > > > > > > Eric > > > > > > > > > "Dean E. Weimer" wrote: > > > > > > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things > > > > working one thing that isn't is http downloads, I can browse the web just > > > > fine, and even right click on an image and do a save image as, however if I > > > > go to Microsoft's download page and try to download something, I receive the > > > > first packet, and everything else gets blocked. Here are the relevant rules > > > > from my ipf.rules file. > > > > > > > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state > > > > keep frags > > > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 > > > > keep state > > > > pass out quick on tun0 proto tcp from any to any port = 80 keep state > > > > > > > > block return-rst in log quick on tun0 proto tcp from any to any keep state > > > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any > > > > to any keep state > > > > block in log on tun0 all > > > > block out log on tun0 all > > > > > > > > The first Rule seems to work fine allowing me to browse the web pages on my > > > > system just fine, it keeps the state open and allows port 80 out after it > > > > receives the connection. The second rule works fine forcing my windows > > > > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 > > > > running on firewall server), which the third rule then allows to go out, and > > > > keeps the state open to allow text and images back in. Now what doesn't > > > > happen, is downloads, if I click a link to download a file, I get the first > > > > packet, and then it hangs. Looking at the logs gives me this: > > > > > > > > First from ipmon: > > > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 > > > > 1492 -A K-S IN > > > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len > > > > 20 1492 -A K-S IN > > > > > > > > Then with ipfstat -t: > > > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 > > > > 0:15 > > > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 > > > > 1:59:31 > > > > > > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the > > > > IP address of Microsoft's Server. > > > > > > > > The questions?? > > > > What I want to know is why the download is being blocked, and not being > > > > passed in because of the state that should have been saved from the outbound > > > > connection? Did I just miss something simple?? > > > > Also is this the correct way to handle dynamic IP's? I have an "ipf -y" > > > > command in my link.up and link.down scripts. > > > > > > > > Thanks, > > > > Dean E. Weimer > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > -- > > > ------------------------------------------------------------------ > > > Eric Anderson Systems Administrator Centaur Technology > > > If at first you don't succeed, sky diving is probably not for you. > > > ------------------------------------------------------------------ > > > > > -- > ------------------------------------------------------------------ > Eric Anderson Systems Administrator Centaur Technology > If at first you don't succeed, sky diving is probably not for you. > ------------------------------------------------------------------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message