From owner-freebsd-security Fri Mar 1 11: 3:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id D102337B400 for ; Fri, 1 Mar 2002 11:03:14 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g21J3DK08404; Fri, 1 Mar 2002 13:03:13 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id NAA03212; Fri, 1 Mar 2002 13:03:13 -0600 (CST) Message-ID: <3C7FD06D.A449F035@centtech.com> Date: Fri, 01 Mar 2002 13:03:09 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Dean E. Weimer" Cc: dweimer@swbell.net, "Freebsd-Security (E-mail)" Subject: Re: IPFilter Questions References: <20020301125603.J4731-100000@FreeBSD.Happydays.DynDNS.Org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm assuming nothing. I would try an ftp, and an http download from NON-MS sites.. I've had troubles in the past with them if I don't use IE5.x or "better".. Eric "Dean E. Weimer" wrote: > > I would be assuming that it is http since the port that is in the output > from ipmon is 80, however if it were trying passive ftp this would cause > the problem. > > On Fri, 1 Mar 2002, Eric Anderson wrote: > > > Is it using FTP or HTTP to do the transfer? > > > > Eric > > > > > > "Dean E. Weimer" wrote: > > > > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things > > > working one thing that isn't is http downloads, I can browse the web just > > > fine, and even right click on an image and do a save image as, however if I > > > go to Microsoft's download page and try to download something, I receive the > > > first packet, and everything else gets blocked. Here are the relevant rules > > > from my ipf.rules file. > > > > > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state > > > keep frags > > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 > > > keep state > > > pass out quick on tun0 proto tcp from any to any port = 80 keep state > > > > > > block return-rst in log quick on tun0 proto tcp from any to any keep state > > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any > > > to any keep state > > > block in log on tun0 all > > > block out log on tun0 all > > > > > > The first Rule seems to work fine allowing me to browse the web pages on my > > > system just fine, it keeps the state open and allows port 80 out after it > > > receives the connection. The second rule works fine forcing my windows > > > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 > > > running on firewall server), which the third rule then allows to go out, and > > > keeps the state open to allow text and images back in. Now what doesn't > > > happen, is downloads, if I click a link to download a file, I get the first > > > packet, and then it hangs. Looking at the logs gives me this: > > > > > > First from ipmon: > > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 > > > 1492 -A K-S IN > > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len > > > 20 1492 -A K-S IN > > > > > > Then with ipfstat -t: > > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 > > > 0:15 > > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 > > > 1:59:31 > > > > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the > > > IP address of Microsoft's Server. > > > > > > The questions?? > > > What I want to know is why the download is being blocked, and not being > > > passed in because of the state that should have been saved from the outbound > > > connection? Did I just miss something simple?? > > > Also is this the correct way to handle dynamic IP's? I have an "ipf -y" > > > command in my link.up and link.down scripts. > > > > > > Thanks, > > > Dean E. Weimer > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > ------------------------------------------------------------------ > > Eric Anderson Systems Administrator Centaur Technology > > If at first you don't succeed, sky diving is probably not for you. > > ------------------------------------------------------------------ > > -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message