From owner-freebsd-questions@FreeBSD.ORG Tue Jun 6 08:09:31 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0253B16A4DA for ; Tue, 6 Jun 2006 08:03:51 +0000 (UTC) (envelope-from nicv@korbitec.com) Received: from spool.korbitec.com (spool.korbitec.com [196.31.9.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B47643D53 for ; Tue, 6 Jun 2006 08:03:48 +0000 (GMT) (envelope-from nicv@korbitec.com) Received: from [10.4.2.7] (helo=Exchange.korbitec.int) by spool.korbitec.com with esmtp (Exim 4.60 (FreeBSD)) (envelope-from ) id 1FnWXS-000L40-2l for freebsd-questions@freebsd.org; Tue, 06 Jun 2006 10:03:46 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 6 Jun 2006 10:04:46 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ipf blocking packets from proxy servers Thread-Index: AcaJP+BjlNtCkLkPT9ySygp7hxTcvQ== From: "Nicholas von Waltsleben" To: X-Spam-Score: -1.0 (-) X-SA-Exim-Connect-IP: 10.4.2.7 X-SA-Exim-Mail-From: nicv@korbitec.com X-SA-Exim-Scanned: No (on spool.korbitec.com); SAEximRunCond expanded to false Subject: ipf blocking packets from proxy servers X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2006 08:09:38 -0000 Hi list, I have been running FreeBSD servers as firewalls for several years now and recently installed a new 6.1 server (6.1-RELEASE FreeBSD 6.1-RELEASE #1) in the place of a 5.4 box that I had installed last year. Since replacing the box my users have had connection problems with their SOAP applications hosted behind the firewall. The symptoms were applications hanging intermittently and massive delays in transactions (up to 2 minutes or more). I eventually realised that this only happened when the users were using our Squid proxy server so I had our Windows admin bloke change the group policy to allow them to bypass the proxy when connecting to the servers. Problem solved I thought... Wrong, now some of our clients are having the same problems and, guess what, they too are using Squid proxies. I have been doing some digging this morning and noticed the following while running ipmon. 06/06/2006 09:19:41.056085 STATE:NEW 165.165.192.80,65431 -> 196.7.156.157,80 PR tcp 06/06/2006 09:19:41.557534 STATE:NEW 165.165.192.80,52159 -> 196.7.156.157,80 PR tcp 06/06/2006 09:19:42.010889 em0 @1:19 b 165.165.192.80,53088 -> 196.7.156.157,80 PR tcp len 20 48 -S IN OOW 06/06/2006 09:19:42.063731 STATE:NEW 165.165.192.80,63975 -> 196.7.156.157,80 PR tcp 06/06/2006 09:19:42.564807 STATE:NEW 165.165.192.80,54989 -> 196.7.156.157,80 PR tcp The 165.x.x.x IP address is from an ADSL line I was using to see what was happening to my packets (I was the only person using the line so it made tcpdumps etc etc easier to interpret). Now here is an extract from my ipfstat -ni @2 block in quick on em0 all head 1 ... @10 pass in quick on em0 proto tcp from any to 196.7.156.157/32 port =3D http keep state keep frags group 1 ... @19 block in log quick on em0 all group 1 And finally my question: If rule 10 specifically allows all traffic to 196.7.156.157 on port 80 why are packets being blocked? Sorry if this is an extremely noob question and I have overlooked something obvious. I will of course be researching this in the meantime but if anyone could shed some light on this matter I would greatly appreaciate it. Regards, Nicholas von Waltsleben