Date: Fri, 01 Mar 2002 14:15:44 -0600 From: Eric Anderson <anderson@centtech.com> To: "Dean E. Weimer" <dweimer@happydays.dyndns.org> Cc: dweimer@swbell.net, "Freebsd-Security (E-mail)" <freebsd-security@freebsd.org> Subject: Re: IPFilter Questions Message-ID: <3C7FE170.F0A26778@centtech.com> References: <20020301135312.U5593-100000@FreeBSD.Happydays.DynDNS.Org>
next in thread | previous in thread | raw e-mail | index | archive | help
Port 20 is the ftp-data port, so opening that allowed the ftp-data to come back thru, so it sounds like it was an ftp transfer. Ftp is a strange and old beast, so don't try to make perfect sense of it.. I'm not the expert on this list, thats for sure, so you may want to wait until someone describes the "real" cause. :D Eric "Dean E. Weimer" wrote: > > OK, I reallize that I made a mistake in my last reply, I understand that > port 80 on their end means nothing, because you can use any outgoing port > you want such as 2124 that my proxy used in this example, but the inbound > port that ipmon reported blocked was the same as my outbound port that I > initiated the download with. If opening port 20 allows the data in, why > wasn't the connection reported blocked on port 20 instead of 2124 that > this example used. > > On Fri, 1 Mar 2002, Eric Anderson wrote: > > > I'm assuming nothing. I would try an ftp, and an http download from NON-MS > > sites.. I've had troubles in the past with them if I don't use IE5.x or > > "better".. > > > > Eric > > > > > > "Dean E. Weimer" wrote: > > > > > > I would be assuming that it is http since the port that is in the output > > > from ipmon is 80, however if it were trying passive ftp this would cause > > > the problem. > > > > > > On Fri, 1 Mar 2002, Eric Anderson wrote: > > > > > > > Is it using FTP or HTTP to do the transfer? > > > > > > > > Eric > > > > > > > > > > > > "Dean E. Weimer" wrote: > > > > > > > > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things > > > > > working one thing that isn't is http downloads, I can browse the web just > > > > > fine, and even right click on an image and do a save image as, however if I > > > > > go to Microsoft's download page and try to download something, I receive the > > > > > first packet, and everything else gets blocked. Here are the relevant rules > > > > > from my ipf.rules file. > > > > > > > > > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state > > > > > keep frags > > > > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 > > > > > keep state > > > > > pass out quick on tun0 proto tcp from any to any port = 80 keep state > > > > > > > > > > block return-rst in log quick on tun0 proto tcp from any to any keep state > > > > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any > > > > > to any keep state > > > > > block in log on tun0 all > > > > > block out log on tun0 all > > > > > > > > > > The first Rule seems to work fine allowing me to browse the web pages on my > > > > > system just fine, it keeps the state open and allows port 80 out after it > > > > > receives the connection. The second rule works fine forcing my windows > > > > > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 > > > > > running on firewall server), which the third rule then allows to go out, and > > > > > keeps the state open to allow text and images back in. Now what doesn't > > > > > happen, is downloads, if I click a link to download a file, I get the first > > > > > packet, and then it hangs. Looking at the logs gives me this: > > > > > > > > > > First from ipmon: > > > > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 > > > > > 1492 -A K-S IN > > > > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len > > > > > 20 1492 -A K-S IN > > > > > > > > > > Then with ipfstat -t: > > > > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 > > > > > 0:15 > > > > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 > > > > > 1:59:31 > > > > > > > > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the > > > > > IP address of Microsoft's Server. > > > > > > > > > > The questions?? > > > > > What I want to know is why the download is being blocked, and not being > > > > > passed in because of the state that should have been saved from the outbound > > > > > connection? Did I just miss something simple?? > > > > > Also is this the correct way to handle dynamic IP's? I have an "ipf -y" > > > > > command in my link.up and link.down scripts. > > > > > > > > > > Thanks, > > > > > Dean E. Weimer > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > -- > > > > ------------------------------------------------------------------ > > > > Eric Anderson Systems Administrator Centaur Technology > > > > If at first you don't succeed, sky diving is probably not for you. > > > > ------------------------------------------------------------------ > > > > > > > > -- > > ------------------------------------------------------------------ > > Eric Anderson Systems Administrator Centaur Technology > > If at first you don't succeed, sky diving is probably not for you. > > ------------------------------------------------------------------ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C7FE170.F0A26778>