Date: Wed, 05 Mar 2008 14:28:10 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Dennis Melentyev <dennis.melentyev@gmail.com> Cc: =?UTF-8?B?0JLQu9Cw0LTQuNGB0LvQsNCyINCd0LXQtNC+0YHQtdC60LjQvQ==?= <mr.vladis@gmail.com>, stable@freebsd.org Subject: Re: Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw Message-ID: <47CEADFA.8090502@infracaninophile.co.uk> In-Reply-To: <b84edfa10803050608i3d647fcv2ede7737dbea54c5@mail.gmail.com> References: <fedd0b9d0803050049t7849a199y339f707033bb4aec@mail.gmail.com> <b84edfa10803050244t1e26264atc65e80ef09cd3572@mail.gmail.com> <fedd0b9d0803050429p5d1365b9x4527fe8b1019c666@mail.gmail.com> <b84edfa10803050608i3d647fcv2ede7737dbea54c5@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Dennis Melentyev wrote:
> Hi!
>
> Well, I'm not a PF professional, and you have rather advanced setup.
> So, someone with good PF experience is needed here.
>
> 2008/3/5, Владислав Недосекин <mr.vladis@gmail.com>:
>> Hi, i understand that there is too little facts to analyze, but maybe some
>> one have the same problem and also i can provide you information.
>> TCP dump 192.168.200.11 - ip of PC with vista
>> # tcpdump | grep 192.168.200.11
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on ste0, link-type EN10MB (Ethernet), capture size 96 bytes
>> ^C^C^C^C3 packets captured
>> 433 packets received by filter
>> 0 packets dropped by kernel
>> # tcpdump | grep 192.168.200.111
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on ste0, link-type EN10MB (Ethernet), capture size 96 bytes
> ...
>> 13:51:47.676471 arp who-has 192.168.200.200 (00:1d:60:ce:74:e8 (oui
>> Unknown)) tell 192.168.200.111
>
> What's that?
> ...
>
>
>> PF.CONF
>>
> ...
>
>> # Block Policy
>> block in log all
>> block in log quick from no-route to any
>> block in log quick on $ext_if from <rfc1918>
>> block return-icmp out log quick on $ext_if to <rfc1918>
>> antispoof quick for $int_if
>> antispoof quick for $ext_if
>> block out from 192.168.0.146 to any
>
> Does log shows anything interesting? I mean dropped packets.
>
> What about SQUID's log? Some special auth? Client's insisting on
> HTTP/1.1? Some glitches with transparent proxying (if I get it right
> from your PF config)?
>
>> i've tried
>> sysctl net.inet.tcp.rfc1323=0
>> but it does't help.
>>
>> And about ip6 it is disabled, but in enabled state it does't help.
>
> Dropped by PF?
>
A very good trick when debugging pf rulesets is to make sure that any
block rules also log the blocked packets -- in this case that should
include the antispoofing rules "antispoof log quick for { $int_if $extif }"
Then you can use tcpdump on the firewall against the pflog0 pseudo interface
to see what traffic is being blocked as it happens:
# tcpdump -vv -i pflog0
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. Flat 3
7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW, UK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHzq363jDkPpsZ+VYRAzBuAJ4/Cy9GA+m8iDv1jeYPeCM/xOFOvQCfc6XB
yOqR3qTYmijkFA9fVygqH80=
=apq8
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47CEADFA.8090502>