From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 18 19:23:29 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6470A16A4CE for ; Fri, 18 Jun 2004 19:23:29 +0000 (GMT) Received: from btsoftware.com (213-84-82-9.adsl.xs4all.nl [213.84.82.9]) by mx1.FreeBSD.org (Postfix) with SMTP id B06F543D45 for ; Fri, 18 Jun 2004 19:23:27 +0000 (GMT) (envelope-from bts@iae.nl) Received: from viper.office (viper.office [192.168.0.1] ) by btsoftware.com (Hethmon Brothers Smtpd) ; Fri, 18 Jun 2004 21:22:22 +0200 Message-Id: <200406182122.2239016.6@btsoftware.com> From: "Martin" To: "freebsd-ipfw@freebsd.org" , "Robert Downes" Date: Fri, 18 Jun 2004 21:22:18 +0200 (CEST) Priority: Normal X-Mailer: PMMail 2.20.2382 for OS/2 Warp 4.5 In-Reply-To: <40D3106A.9030403@lineone.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Re: Blocked outbound traffic - what is it? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Martin List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 19:23:29 -0000 - Is rl0 your outside interface ? - Do you have Natd on the outside interface or reversed on the inside interface ? - Do you have multiple outside interfaces ? - 192.168.1.102 is this system on your internal network ? - Do you have a local DNS (or hosts file) running where you mapped away spying hosts ? - "out" means outgoing, but "via rl0" does not mean "out thru rl0". It could means more or less "a packet having to do something with rl0, either in or out". - Do you have rules in your FW, causing to bypass natd ? - Do you have static natd routing ? - Do you do IP/port forwarding on specific ports ? Please post your rules. Martin. On Fri, 18 Jun 2004 16:55:22 +0100, Robert Downes wrote: >Matthew McGehrin wrote: > >>You need to post your ruleset to the list along with some of your log's, or >>your not going to get a response. >> >The ruleset is the one posted to this list recently: > > >http://lists.freebsd.org/mailman/htdig/freebsd-ipfw/2004-June/001182.html > >and some of the output of `cat /var/log/security | grep out`: > >Jun 18 15:32:37 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3066 >64.158.223.128:80 out via rl0 >Jun 18 16:03:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3113 >216.136.173.10:110 out via rl0 >Jun 18 16:07:56 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3118 >213.189.140.44:80 out via rl0 >Jun 18 16:09:45 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3123 >216.136.173.10:110 out via rl0 >Jun 18 16:23:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3136 >216.136.173.10:110 out via rl0 >Jun 18 16:31:53 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 >65.59.207.13:80 out via rl0 >Jun 18 16:31:58 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 >65.59.207.13:80 out via rl0 > >These are just a few of many similar entries. The requests to port 110 >are to a legitimate mail server. The requests to port 80 seem to be to >banner-ad addresses, and to addresses that are legitimate but are not >the same IP as the original browser request. > >But my point is: what feature of these packets is making them fail the >filter, and why do I not seem to be missing anything on the pages (such >as banner ads) even though requests are being blocked? > >If it's perfectly reasonable for these packets to be denied, then I'm >happy with that. But I'm worried that something important is being >killed on the spot. (Even though I can't work out what.) > >-- >Bob > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >