Date: Fri, 01 Mar 2002 12:51:34 -0600 From: Eric Anderson <anderson@centtech.com> To: dweimer@swbell.net Cc: "Freebsd-Security (E-mail)" <freebsd-security@freebsd.org> Subject: Re: IPFilter Questions Message-ID: <3C7FCDB6.FD151D09@centtech.com> References: <000401c1c150$92091de0$0b62f00a@Happydays.Local>
next in thread | previous in thread | raw e-mail | index | archive | help
Is it using FTP or HTTP to do the transfer? Eric "Dean E. Weimer" wrote: > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things > working one thing that isn't is http downloads, I can browse the web just > fine, and even right click on an image and do a save image as, however if I > go to Microsoft's download page and try to download something, I receive the > first packet, and everything else gets blocked. Here are the relevant rules > from my ipf.rules file. > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state > keep frags > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 > keep state > pass out quick on tun0 proto tcp from any to any port = 80 keep state > > block return-rst in log quick on tun0 proto tcp from any to any keep state > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any > to any keep state > block in log on tun0 all > block out log on tun0 all > > The first Rule seems to work fine allowing me to browse the web pages on my > system just fine, it keeps the state open and allows port 80 out after it > receives the connection. The second rule works fine forcing my windows > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 > running on firewall server), which the third rule then allows to go out, and > keeps the state open to allow text and images back in. Now what doesn't > happen, is downloads, if I click a link to download a file, I get the first > packet, and then it hangs. Looking at the logs gives me this: > > First from ipmon: > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 > 1492 -A K-S IN > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len > 20 1492 -A K-S IN > > Then with ipfstat -t: > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 > 0:15 > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 > 1:59:31 > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the > IP address of Microsoft's Server. > > The questions?? > What I want to know is why the download is being blocked, and not being > passed in because of the state that should have been saved from the outbound > connection? Did I just miss something simple?? > Also is this the correct way to handle dynamic IP's? I have an "ipf -y" > command in my link.up and link.down scripts. > > Thanks, > Dean E. Weimer > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C7FCDB6.FD151D09>