Date: Wed, 10 Feb 1999 22:23:37 -0500 From: Drew Derbyshire <software@kew.com> To: Alla Bezroutchko <alla@sovlink.ru> Cc: security@FreeBSD.ORG Subject: Re: firewall with SOCKS5, UDP, ICQ Message-ID: <36C24D39.8D29C578@kew.com> References: <36C19674.F553CB64@kew.com> <36C1AAF4.AE320A97@sovlink.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Alla Bezroutchko wrote:
> Drew Derbyshire wrote:
> >
> > I've got a firewall running FreeBSD 2.2.7-RELEASE. Because the ICQ Windows
> > client longs for UDP support, I've installed the socks5-v1.0r8 server, but
> > keep seeing the following errors:
> >
> > Feb 10 09:07:31 pandora Socks5[9147]: Socks5 starting at Wed Feb 10 09:07:31 1999 from inetd
> > Feb 10 09:07:31 pandora Socks5[9147]: UDP Proxy Request: (lucia.hh.kew.com:1177) for user thomas
> > Feb 10 09:07:31 pandora Socks5[9147]: UDP Proxy Established: (lucia.hh.kew.com:1178) for user thomas
> >
> > Now, I don't care about the errors per se, but the general functionality of
> > the ICQ client behind the firewall is affected by as opposed to on a bare dial
> > connection is noticeable, such as server time outs and the like.
>
> Don't see any errors there.
Whoops. I left off the one real error, and didn't show the pattern, which is what I get for being in a
hurry this morning:
Feb 10 21:09:55 pandora Socks5[11227]: Socks5 starting at Wed Feb 10 21:09:55 1999 from inetd
Feb 10 21:09:55 pandora Socks5[11227]: UDP Proxy Request: (minerva.hh.kew.com:1108) for user ahd
Feb 10 21:09:55 pandora Socks5[11227]: UDP Proxy Established: (dogbert.hh.kew.com:1109) for user hobbit
Feb 10 21:17:14 pandora Socks5[11225]: S5IOCheck: recv failed: Undefined error: 0
Feb 10 21:17:14 pandora Socks5[11225]: UDP Proxy Termination: (natalie.hh.kew.com:2859) for user flopsie;
1485 bytes out 965 bytes in
Feb 10 21:17:14 pandora Socks5[11244]: Socks5 starting at Wed Feb 10 21:17:14 1999 from inetd
Feb 10 21:17:14 pandora Socks5[11244]: UDP Proxy Request: (natalie.hh.kew.com:2863) for user flopsie
Feb 10 21:17:14 pandora Socks5[11244]: UDP Proxy Established: (natalie.hh.kew.com:2864) for user flopsie
Feb 10 21:17:36 pandora Socks5[11227]: S5IOCheck: recv failed: Undefined error: 0
Feb 10 21:17:36 pandora Socks5[11227]: UDP Proxy Termination: (dogbert.hh.kew.com:1109) for user hobbit;
1467 bytes out 600 bytes in
Feb 10 21:17:36 pandora Socks5[11246]: Socks5 starting at Wed Feb 10 21:17:36 1999 from inetd
Feb 10 21:17:37 pandora Socks5[11246]: UDP Proxy Request: (dogbert.hh.kew.com:1111) for user hobbit
Feb 10 21:17:37 pandora Socks5[11246]: UDP Proxy Established: (dogbert.hh.kew.com:1112) for user hobbit
Feb 10 21:25:56 pandora Socks5[11244]: S5IOCheck: recv failed: Undefined error: 0
Feb 10 21:25:56 pandora Socks5[11244]: UDP Proxy Termination: (natalie.hh.kew.com:2864) for user flopsie;
1821 bytes out 937 bytes in
Feb 10 21:25:57 pandora Socks5[11267]: Socks5 starting at Wed Feb 10 21:25:57 1999 from inetd
Feb 10 21:25:57 pandora Socks5[11267]: UDP Proxy Request: (natalie.hh.kew.com:2884) for user flopsie
Feb 10 21:25:57 pandora Socks5[11267]: UDP Proxy Established: (natalie.hh.kew.com:2885) for user flopsie
Thr recv failing is the error, although of course '0' isn't. The pattern is the server restarting every
ten minutes or so, even though the timeout is set much higher.
> And your logs don't show anything wrong with performance.
No. :-) Again, vapor lock. The performance issue is timeouts.
> Do you have any packet filtering enabled like ipfw or ipfilter?
Yes. I revamped it for ICQ, since I didn't any let UDP ports in except DNS.
> Check if it permits
> UDP traffic for ICQ. Also check your SOCKS config.
Yes, I opened a range of UDP ports of . I have no rejected UDP packets this evening, and I'm watching the
packets back and forth to the outside interface with tcpdump.
> It should permit
> connects (c) and sendto (u).
It allows virtually everything; my main security is that the socks port is only run on the inner interface
and the port is blocked from the outside world. The file reads:
set SOCKS5_BINDINTFC socks.hh.kew.com:1080
set SOCKS5_NOIDENT 1
set SOCKS5_PIDFILE /var/run/socks5
set SOCKS5_UDPPORTRANGE 16000-16999
set SOCKS5_REVERSEMAP 1
set SOCKS5_TIMEOUT 240
auth .hh.kew.com - u
permit u - - - - -
No doubt the SOCKS5_BINDINTFC is now ignored since for my light load I use inetd.
> I run SOCKS5 proxy mostly for permitting ICQ through a firewall and it
> works perfectly. No timeouts, nothing wrong with it.
Hmmm. My behavior is more like what others reported. The suggestion to go to 99a may be desirable. Are
you at that level?
--
Drew Derbyshire UUPC/extended e-mail: software@kew.com
Telephone: 617-279-9812
Mind Like A Steel Trap: Rusty And Illegal In 37 States
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36C24D39.8D29C578>