From owner-freebsd-stable@FreeBSD.ORG  Wed Mar  5 14:28:26 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 37EBF106566C
	for <stable@freebsd.org>; Wed,  5 Mar 2008 14:28:26 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 88D3C8FC28
	for <stable@freebsd.org>; Wed,  5 Mar 2008 14:28:25 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from lack-of-gravitas.thebunker.net (gateway.ash.thebunker.net
	[213.129.64.4]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id
	m25ESBUC093431
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 5 Mar 2008 14:28:17 GMT
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.4.4 smtp.infracaninophile.co.uk m25ESBUC093431
Authentication-Results: smtp.infracaninophile.co.uk;
	dkim=hardfail (SSP) header.i=unknown
Message-ID: <47CEADFA.8090502@infracaninophile.co.uk>
Date: Wed, 05 Mar 2008 14:28:10 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.12 (X11/20080303)
MIME-Version: 1.0
To: Dennis Melentyev <dennis.melentyev@gmail.com>
References: <fedd0b9d0803050049t7849a199y339f707033bb4aec@mail.gmail.com>	<b84edfa10803050244t1e26264atc65e80ef09cd3572@mail.gmail.com>	<fedd0b9d0803050429p5d1365b9x4527fe8b1019c666@mail.gmail.com>
	<b84edfa10803050608i3d647fcv2ede7737dbea54c5@mail.gmail.com>
In-Reply-To: <b84edfa10803050608i3d647fcv2ede7737dbea54c5@mail.gmail.com>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by
	milter-greylist-3.0 (smtp.infracaninophile.co.uk
	[81.187.76.162]); Wed, 05 Mar 2008 14:28:17 +0000 (GMT)
X-Virus-Scanned: ClamAV 0.92.1/6137/Wed Mar 5 10:18:24 2008 on
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00,SPF_FAIL
	autolearn=no version=3.2.4
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: =?UTF-8?B?0JLQu9Cw0LTQuNGB0LvQsNCyINCd0LXQtNC+0YHQtdC60LjQvQ==?=
	<mr.vladis@gmail.com>, stable@freebsd.org
Subject: Re: Could Not open some sites from Windows Vista and Server 2008
 when using FreeBSD as gw
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2008 14:28:26 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Dennis Melentyev wrote:
> Hi!
> 
> Well, I'm not a PF professional, and you have rather advanced setup.
> So, someone with good PF experience is needed here.
> 
> 2008/3/5, Владислав Недосекин <mr.vladis@gmail.com>:
>> Hi, i understand that there is too little facts to analyze, but maybe some
>> one have the same problem and also i can provide you information.
>> TCP dump 192.168.200.11 - ip of PC with vista
>>  # tcpdump | grep 192.168.200.11
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>  listening on ste0, link-type EN10MB (Ethernet), capture size 96 bytes
>> ^C^C^C^C3 packets captured
>>  433 packets received by filter
>> 0 packets dropped by kernel
>> # tcpdump | grep 192.168.200.111
>>  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on ste0, link-type EN10MB (Ethernet), capture size 96 bytes
> ...
>> 13:51:47.676471 arp who-has 192.168.200.200 (00:1d:60:ce:74:e8 (oui
>> Unknown)) tell 192.168.200.111
> 
> What's that?
> ...
> 
> 
>> PF.CONF
>>
> ...
> 
>> #       Block Policy
>> block in log all
>> block in log quick from no-route to any
>> block in log quick on $ext_if from <rfc1918>
>>  block return-icmp out log quick on $ext_if to <rfc1918>
>> antispoof quick for $int_if
>> antispoof quick for $ext_if
>> block out from 192.168.0.146 to any
> 
> Does log shows anything interesting? I mean dropped packets.
> 
> What about SQUID's log? Some special auth? Client's insisting on
> HTTP/1.1? Some glitches with transparent proxying (if I get it right
> from your PF config)?
> 
>> i've tried
>>  sysctl net.inet.tcp.rfc1323=0
>> but it does't help.
>>
>> And about ip6 it is disabled, but in enabled state it does't help.
> 
> Dropped by PF?
> 

A very good trick when debugging pf rulesets is to make sure that any
block rules also log the blocked packets -- in this case that should
include the antispoofing rules "antispoof log quick for { $int_if $extif }"

Then you can use tcpdump on the firewall against the pflog0 pseudo interface
to see what traffic is being blocked as it happens:

   # tcpdump -vv -i pflog0 

	Cheers,

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                       Flat 3
                                                      7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW, UK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHzq363jDkPpsZ+VYRAzBuAJ4/Cy9GA+m8iDv1jeYPeCM/xOFOvQCfc6XB
yOqR3qTYmijkFA9fVygqH80=
=apq8
-----END PGP SIGNATURE-----