Date: Fri, 1 Mar 2002 13:40:42 -0600 (CST) From: "Dean E. Weimer" <dweimer@Happydays.DynDNS.Org> To: Eric Anderson <anderson@centtech.com> Cc: dweimer@swbell.net, "Freebsd-Security (E-mail)" <freebsd-security@FreeBSD.ORG> Subject: Re: IPFilter Questions Message-ID: <20020301133247.O5310-100000@FreeBSD.Happydays.DynDNS.Org> In-Reply-To: <3C7FD06D.A449F035@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
OPening Port 20 works, however, is there some error here, why wouldn't ipmon report a block from 207.46.106.150,20 instead of 207.46.106.150,80. I knew perfectly well that ftp didn't work with my config, I hadn't got to that one yet. I did try other sites too, Microsoft was just the first one I tried, and the only one that I noted the exact log messages from, I was using IE6.0, and then tried lynx locally on the firewall to verify that it wasn't some internally routing issue. I am remotely connected now, so lynx is all I can test at the moment, but that works with port 20 open. On Fri, 1 Mar 2002, Eric Anderson wrote: > I'm assuming nothing. I would try an ftp, and an http download from NON-MS > sites.. I've had troubles in the past with them if I don't use IE5.x or > "better".. > > Eric > > > "Dean E. Weimer" wrote: > > > > I would be assuming that it is http since the port that is in the output > > from ipmon is 80, however if it were trying passive ftp this would cause > > the problem. > > > > On Fri, 1 Mar 2002, Eric Anderson wrote: > > > > > Is it using FTP or HTTP to do the transfer? > > > > > > Eric > > > > > > > > > "Dean E. Weimer" wrote: > > > > > > > > I recently set up IPFilter on my FreeBSD 4-5 system, And have most things > > > > working one thing that isn't is http downloads, I can browse the web just > > > > fine, and even right click on an image and do a save image as, however if I > > > > go to Microsoft's download page and try to download something, I receive the > > > > first packet, and everything else gets blocked. Here are the relevant rules > > > > from my ipf.rules file. > > > > > > > > pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state > > > > keep frags > > > > block out log quick on tun0 proto tcp from 10.240.98.0/24 to any port = 80 > > > > keep state > > > > pass out quick on tun0 proto tcp from any to any port = 80 keep state > > > > > > > > block return-rst in log quick on tun0 proto tcp from any to any keep state > > > > block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any > > > > to any keep state > > > > block in log on tun0 all > > > > block out log on tun0 all > > > > > > > > The first Rule seems to work fine allowing me to browse the web pages on my > > > > system just fine, it keeps the state open and allows port 80 out after it > > > > receives the connection. The second rule works fine forcing my windows > > > > clients to not use NAT and instead use the proxy server, (SQUID 2.4-STABLE4 > > > > running on firewall server), which the third rule then allows to go out, and > > > > keeps the state open to allow text and images back in. Now what doesn't > > > > happen, is downloads, if I click a link to download a file, I get the first > > > > packet, and then it hangs. Looking at the logs gives me this: > > > > > > > > First from ipmon: > > > > (date & time) @0:12 b 207.46.106.150,80 -> 64.218.106.107,2124 PR tcp len 20 > > > > 1492 -A K-S IN > > > > (date & time) @65535:0 b 64.218.106.107,2124 -> 207.46.106.150,80 PR tcp len > > > > 20 1492 -A K-S IN > > > > > > > > Then with ipfstat -t: > > > > 64.218.106.107,2124 207.46.106.150,80 4/4 tcp 33 12927 > > > > 0:15 > > > > 207.46.106.150,80 64.218.106.107,2124 4/6 5 1700 > > > > 1:59:31 > > > > > > > > 64.218.106.150 was my DSL IP address at the time, and 207.46.106.151 is the > > > > IP address of Microsoft's Server. > > > > > > > > The questions?? > > > > What I want to know is why the download is being blocked, and not being > > > > passed in because of the state that should have been saved from the outbound > > > > connection? Did I just miss something simple?? > > > > Also is this the correct way to handle dynamic IP's? I have an "ipf -y" > > > > command in my link.up and link.down scripts. > > > > > > > > Thanks, > > > > Dean E. Weimer > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > -- > > > ------------------------------------------------------------------ > > > Eric Anderson Systems Administrator Centaur Technology > > > If at first you don't succeed, sky diving is probably not for you. > > > ------------------------------------------------------------------ > > > > > -- > ------------------------------------------------------------------ > Eric Anderson Systems Administrator Centaur Technology > If at first you don't succeed, sky diving is probably not for you. > ------------------------------------------------------------------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020301133247.O5310-100000>