From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 18 16:10:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E38216A4CE for ; Fri, 18 Jun 2004 16:10:09 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3217E43D53 for ; Fri, 18 Jun 2004 16:10:09 +0000 (GMT) (envelope-from nullentropy@lineone.net) Received: from [192.168.1.102] (orbital.gotadsl.co.uk [81.6.215.230]) by smtp.nildram.co.uk (Postfix) with ESMTP id 8966F24F0E2; Fri, 18 Jun 2004 16:55:20 +0100 (BST) Message-ID: <40D3106A.9030403@lineone.net> Date: Fri, 18 Jun 2004 16:55:22 +0100 From: Robert Downes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en, fr, en-us MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <40D301EA.3080606@lineone.net> <000d01c4554a$906deac0$af00a8c0@orange> In-Reply-To: <000d01c4554a$906deac0$af00a8c0@orange> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Blocked outbound traffic - what is it? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jun 2004 16:10:09 -0000 Matthew McGehrin wrote: >You need to post your ruleset to the list along with some of your log's, or >your not going to get a response. > The ruleset is the one posted to this list recently: http://lists.freebsd.org/mailman/htdig/freebsd-ipfw/2004-June/001182.html and some of the output of `cat /var/log/security | grep out`: Jun 18 15:32:37 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3066 64.158.223.128:80 out via rl0 Jun 18 16:03:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3113 216.136.173.10:110 out via rl0 Jun 18 16:07:56 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3118 213.189.140.44:80 out via rl0 Jun 18 16:09:45 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3123 216.136.173.10:110 out via rl0 Jun 18 16:23:39 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3136 216.136.173.10:110 out via rl0 Jun 18 16:31:53 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 65.59.207.13:80 out via rl0 Jun 18 16:31:58 epia kernel: ipfw: 450 Deny TCP 192.168.1.102:3181 65.59.207.13:80 out via rl0 These are just a few of many similar entries. The requests to port 110 are to a legitimate mail server. The requests to port 80 seem to be to banner-ad addresses, and to addresses that are legitimate but are not the same IP as the original browser request. But my point is: what feature of these packets is making them fail the filter, and why do I not seem to be missing anything on the pages (such as banner ads) even though requests are being blocked? If it's perfectly reasonable for these packets to be denied, then I'm happy with that. But I'm worried that something important is being killed on the spot. (Even though I can't work out what.) -- Bob