Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 10 Jan 2001 23:21:18 -0500
From:      Jonathan Pennington <john@coastalgeology.org>
To:        freebsd-security@freebsd.org
Subject:   Cannot access certain sites through firewall
Message-ID:  <20010110232117.A10054@coastalgeology.org>

next in thread | raw e-mail | index | archive | help
Hello,
I am having a problem with accessing certain websites from my internal
network.

System 4.2-STABLE, Dec-21. PPPoE through tun0 with an external Alcatel
modem connected to ed1 and an internal network with one windows
computer and my FreeBSD 4.2-STABLE laptop that can access most
websites, but not all. www.cityspree.com is the one in the logs, but
www.signals.com, www.pigglywiggly.com and others are on the list.

I can access everything from the firewall computer, including the
sites that cannot be accessed from the internal network. The tun0
interface is mtu 1492, ed0 (internal) and ed1 (external) were 1500,
but the same thing happens with all at 1492. (I read in the archives
about natd mangling packets due to different sizes). From the logs, it
looks like things are travelling through, but Netscape just
waits. Specifically, netscape stops at "Connect: Host... contacted. 
Waiting for reply." However, I can ping those address and not loose
packets. Even when I open the firewall up by flushing all
rules and allowing everything, theses sites are not working. What am I
doing wrong? Is this a problem with my natd translation? I am using
natd unmodified (ie. I set no configs myself), but why would that stop
only some sites (I can access https).

I'm not on this list, but will watch the geocrawler archives. I
appreciate any help. Log snippet of attempt to visit www.cityspree.com
and www.signals.com after successfully pinging signals.com and a copy
of my firewall rules follow.

----------------------------------------------------------------
Jan 10 23:00:00 bullwinkle newsyslog[10356]: logfile turned over
##################
Jan 10 23:01:50 bullwinkle /kernel: ipfw: 850 Accept TCP 216.78.159.182:62486 216.35.68.25:80 out via tun0
Jan 10 23:02:47 bullwinkle /kernel: ipfw: 850 Accept TCP 216.78.159.182:33439 63.71.95.177:80 out via tun0
Jan 10 23:03:11 bullwinkle /kernel: ipfw: 65435 Accept ICMP:8.0 216.78.159.182 216.35.68.25 out via tun0
Jan 10 23:03:11 bullwinkle /kernel: ipfw: 65435 Accept ICMP:0.0 216.35.68.25 192.168.10.3 in via tun0
Jan 10 23:03:12 bullwinkle /kernel: ipfw: 65435 Accept ICMP:8.0 216.78.159.182 216.35.68.25 out via tun0
Jan 10 23:03:12 bullwinkle /kernel: ipfw: 65435 Accept ICMP:0.0 216.35.68.25 192.168.10.3 in via tun0
Jan 10 23:03:13 bullwinkle /kernel: ipfw: 65435 Accept ICMP:8.0 216.78.159.182 216.35.68.25 out via tun0
Jan 10 23:03:13 bullwinkle /kernel: ipfw: 65435 Accept ICMP:0.0 216.35.68.25 192.168.10.3 in via tun0
Jan 10 23:03:14 bullwinkle /kernel: ipfw: 65435 Accept ICMP:8.0 216.78.159.182 216.35.68.25 out via tun0
Jan 10 23:03:14 bullwinkle /kernel: ipfw: 65435 Accept ICMP:0.0 216.35.68.25 192.168.10.3 in via tun0
Jan 10 23:03:22 bullwinkle /kernel: ipfw: 1550 Accept UDP 205.152.0.20:53 192.168.10.2:137 in via tun0
Jan 10 23:03:25 bullwinkle /kernel: ipfw: 65435 Accept ICMP:8.0 216.78.159.182 63.71.95.177 out via tun0
Jan 10 23:03:25 bullwinkle /kernel: ipfw: 65435 Accept ICMP:0.0 63.71.95.177 192.168.10.3 in via tun0
Jan 10 23:03:26 bullwinkle /kernel: ipfw: 65435 Accept ICMP:8.0 216.78.159.182 63.71.95.177 out via tun0
Jan 10 23:03:26 bullwinkle /kernel: ipfw: 65435 Accept ICMP:0.0 63.71.95.177 192.168.10.3 in via tun0
Jan 10 23:03:27 bullwinkle /kernel: ipfw: 65435 Accept ICMP:8.0 216.78.159.182 63.71.95.177 out via tun0
Jan 10 23:03:27 bullwinkle /kernel: ipfw: 65435 Accept ICMP:0.0 63.71.95.177 192.168.10.3 in via tun0
Jan 10 23:03:28 bullwinkle /kernel: ipfw: 65435 Accept ICMP:8.0 216.78.159.182 63.71.95.177 out via tun0
Jan 10 23:03:28 bullwinkle /kernel: ipfw: 65435 Accept ICMP:0.0 63.71.95.177 192.168.10.3 in via tun0
Jan 10 23:03:48 bullwinkle /kernel: ipfw: 850 Accept TCP 216.78.159.182:58680 216.136.204.21:80 out via tun0
Jan 10 23:03:49 bullwinkle /kernel: ipfw: 850 Accept TCP 216.78.159.182:56779 216.136.204.21:80 out via tun0
Jan 10 23:03:49 bullwinkle /kernel: ipfw: 850 Accept TCP 216.78.159.182:46765 216.136.204.21:80 out via tun0
Jan 10 23:03:50 bullwinkle /kernel: ipfw: 850 Accept TCP 216.78.159.182:35950 216.136.204.21:80 out via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1078 216.136.204.21:80 out via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1081 216.35.68.25:80 out via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 950 Accept TCP 216.78.159.182:40600 216.136.204.21:80 out via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 850 Accept TCP 216.78.159.182:41953 216.35.68.25:80 out via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.35.68.25:80 216.78.159.182:1081 in via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 950 Accept TCP 216.35.68.25:80 192.168.10.3:1081 in via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1081 216.35.68.25:80 out via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 950 Accept TCP 216.78.159.182:41953 216.35.68.25:80 out via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.136.204.21:80 216.78.159.182:1078 in via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 950 Accept TCP 216.136.204.21:80 192.168.10.3:1078 in via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1081 216.35.68.25:80 out via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 950 Accept TCP 216.78.159.182:41953 216.35.68.25:80 out via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.35.68.25:80 216.78.159.182:1081 in via tun0
Jan 10 23:05:48 bullwinkle /kernel: ipfw: 950 Accept TCP 216.35.68.25:80 192.168.10.3:1081 in via tun0
Jan 10 23:05:57 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1071 66.37.205.21:80 out via tun0
Jan 10 23:05:57 bullwinkle /kernel: ipfw: 950 Accept TCP 216.78.159.182:35306 66.37.205.21:80 out via tun0
Jan 10 23:05:57 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1074 63.71.95.177:80 out via tun0
Jan 10 23:05:57 bullwinkle /kernel: ipfw: 950 Accept TCP 216.78.159.182:59397 63.71.95.177:80 out via tun0
Jan 10 23:07:01 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1071 66.37.205.21:80 out via tun0
Jan 10 23:07:01 bullwinkle /kernel: ipfw: 950 Accept TCP 216.78.159.182:35306 66.37.205.21:80 out via tun0
Jan 10 23:07:01 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1074 63.71.95.177:80 out via tun0
Jan 10 23:07:01 bullwinkle /kernel: ipfw: 950 Accept TCP 216.78.159.182:59397 63.71.95.177:80 out via tun0
Jan 10 23:08:05 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1071 66.37.205.21:80 out via tun0
Jan 10 23:08:05 bullwinkle /kernel: ipfw: 950 Accept TCP 216.78.159.182:35306 66.37.205.21:80 out via tun0
Jan 10 23:08:05 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1074 63.71.95.177:80 out via tun0
Jan 10 23:08:05 bullwinkle /kernel: ipfw: 950 Accept TCP 216.78.159.182:59397 63.71.95.177:80 out via tun0
Jan 10 23:09:09 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1071 66.37.205.21:80 out via tun0
Jan 10 23:09:09 bullwinkle /kernel: ipfw: 950 Accept TCP 216.78.159.182:35306 66.37.205.21:80 out via tun0
Jan 10 23:09:09 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1074 63.71.95.177:80 out via tun0
Jan 10 23:09:09 bullwinkle /kernel: ipfw: 950 Accept TCP 216.78.159.182:59397 63.71.95.177:80 out via tun0
Jan 10 23:10:13 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1071 66.37.205.21:80 out via tun0
Jan 10 23:10:13 bullwinkle /kernel: ipfw: 950 Accept TCP 216.78.159.182:35306 66.37.205.21:80 out via tun0
Jan 10 23:10:13 bullwinkle /kernel: ipfw: 350 Divert 8668 TCP 216.78.159.182:1074 63.71.95.177:80 out via tun0
Jan 10 23:10:13 bullwinkle /kernel: ipfw: 950 Accept TCP 216.78.159.182:59397 63.71.95.177:80 out via tun0


-------------------------------------------------------
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 250 allow tcp from 127.0.0.1 to 127.0.0.1 51966   

$fwcmd add divert natd log all from any to any via tun0

$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via ed0
$fwcmd add deny all from any to 192.168.10.0/24 in via ed1
$fwcmd add deny all from 192.168.10.0/24 to any out via ed1

$fwcmd add allow log tcp from any to any out xmit tun0 setup
$fwcmd add allow log tcp from any to any via tun0 established

$fwcmd add allow log tcp from any to any 80 setup
$fwcmd add allow log tcp from any 80 to any in via tun0
$fwcmd add allow log tcp from any to any 22 setup
$fwcmd add allow log tcp from 209.85.3.25 to any 2222 setup
$fwcmd add pass tcp from any to any 25 setup
$fwcmd add allow log udp from any to 192.168.10.2 in via tun0
$fwcmd add allow log tcp from any to 192.168.10.2 in via tun0

$fwcmd add allow log tcp from any to any 113 in recv tun0
    
$fwcmd add allow udp from any to 205.152.0.20 53 out xmit tun0
$fwcmd add allow udp from any to 205.152.0.5 53 out xmit tun0

$fwcmd add allow udp from 205.152.0.0/16 53 to any in recv tun0

$fwcmd add 65435 allow log icmp from any to any

$fwcmd add deny all from 192.168.10.0/24 to any in via tun0

$fwcmd add pass all from any to any frag

$fwcmd add deny log tcp from any to any in via tun0 setup

$fwcmd add 65435 allow ip from any to any out xmit tun0

$fwcmd add 65435 allow log udp from any to any 6970 in via tun0

$fwcmd add 65435 deny log ip from any to any in via tun0
--------------------------------------------------------
-- 
Jonathan Pennington		| http://coastalgeology.org
Site Manager			| Protection and stewardship
CoastalGeology.Org (CGO)	| through public education.
john@coastalgeology.org		| Join CGO, make a difference.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010110232117.A10054>