Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Jun 2004 21:22:18 +0200 (CEST)
From:      "Martin" <bts@iae.nl>
To:        "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>, "Robert Downes" <nullentropy@lineone.net>
Subject:   Re: Blocked outbound traffic - what is it?
Message-ID:  <200406182122.2239016.6@btsoftware.com>
In-Reply-To: <40D3106A.9030403@lineone.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
- Is rl0 your outside interface ?
- Do you have Natd on the outside interface or reversed on the inside interface ?
- Do you have multiple outside interfaces ?
- 192.168.1.102 is this system on your internal network ?
- Do you have a local DNS (or hosts file) running where you mapped away spying hosts ?
- "out" means outgoing, but "via rl0" does not mean "out thru rl0". It could means
  more or less "a packet having to do something with rl0, either in or out".
- Do you have rules in your FW, causing to bypass natd ?
- Do you have static natd routing ?
- Do you do IP/port forwarding on specific ports ?

Please post your rules.

Martin.

On Fri, 18 Jun 2004 16:55:22 +0100, Robert Downes wrote:

>Matthew McGehrin wrote:
>
>>You need to post your ruleset to the list along with some of your log's, or
>>your not going to get a response.
>>
>The ruleset is the one posted to this list recently:
>
>    
>http://lists.freebsd.org/mailman/htdig/freebsd-ipfw/2004-June/001182.html
>
>and some of the output of `cat /var/log/security | grep out`:
>
>Jun 18 15:32:37 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3066 
>64.158.223.128:80 out via rl0
>Jun 18 16:03:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3113 
>216.136.173.10:110 out via rl0
>Jun 18 16:07:56 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3118 
>213.189.140.44:80 out via rl0
>Jun 18 16:09:45 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3123 
>216.136.173.10:110 out via rl0
>Jun 18 16:23:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3136 
>216.136.173.10:110 out via rl0
>Jun 18 16:31:53 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 
>65.59.207.13:80 out via rl0
>Jun 18 16:31:58 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 
>65.59.207.13:80 out via rl0
>
>These are just a few of many similar entries. The requests to port 110 
>are to a legitimate mail server. The requests to port 80 seem to be to 
>banner-ad addresses, and to addresses that are legitimate but are not 
>the same IP as the original browser request.
>
>But my point is: what feature of these packets is making them fail the 
>filter, and why do I not seem to be missing anything on the pages (such 
>as banner ads) even though requests are being blocked?
>
>If it's perfectly reasonable for these packets to be denied, then I'm 
>happy with that. But I'm worried that something important is being 
>killed on the spot. (Even though I can't work out what.)
>
>-- 
>Bob
>
>_______________________________________________
>freebsd-ipfw@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200406182122.2239016.6>