Date: Fri, 1 Mar 2002 12:40:32 -0600 From: "Dean E. Weimer" <dweimer@happydays.dyndns.org> To: "Freebsd-Security (E-mail)" <freebsd-security@FreeBSD.ORG> Subject: IPFilter Questions Message-ID: <000401c1c150$92091de0$0b62f00a@Happydays.Local>
next in thread | raw e-mail | index | archive | help
I recently set up IPFilter on my FreeBSD 4-5 system, And have most things working one thing that isn't is http downloads, I can browse the web just fine, and even right click on an image and do a save image as, however if I go to Microsoft's download page and try to download something, I receive the first packet, and everything else gets blocked. Here are the relevant rules from my ipf.rules file. pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state keep frags block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 keep state pass out quick on tun0 proto tcp from any to any port = 80 keep state block return-rst in log quick on tun0 proto tcp from any to any keep state block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any to any keep state block in log on tun0 all block out log on tun0 all The first Rule seems to work fine allowing me to browse the web pages on my system just fine, it keeps the state open and allows port 80 out after it receives the connection. The second rule works fine forcing my windows clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 running on firewall server), which the third rule then allows to go out, and keeps the state open to allow text and images back in. Now what doesn't happen, is downloads, if I click a link to download a file, I get the first packet, and then it hangs. Looking at the logs gives me this: First from ipmon: (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 1492 -A K-S IN (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len 20 1492 -A K-S IN Then with ipfstat -t: 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 0:15 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 1:59:31 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the IP address of Microsoft's Server. The questions?? What I want to know is why the download is being blocked, and not being passed in because of the state that should have been saved from the outbound connection? Did I just miss something simple?? Also is this the correct way to handle dynamic IP's? I have an "ipf -y" command in my link.up and link.down scripts. Thanks, Dean E. Weimer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000401c1c150$92091de0$0b62f00a>