Date: Wed, 10 Feb 1999 22:23:37 -0500 From: Drew Derbyshire <software@kew.com> To: Alla Bezroutchko <alla@sovlink.ru> Cc: security@FreeBSD.ORG Subject: Re: firewall with SOCKS5, UDP, ICQ Message-ID: <36C24D39.8D29C578@kew.com> References: <36C19674.F553CB64@kew.com> <36C1AAF4.AE320A97@sovlink.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Alla Bezroutchko wrote: > Drew Derbyshire wrote: > > > > I've got a firewall running FreeBSD 2.2.7-RELEASE. Because the ICQ Windows > > client longs for UDP support, I've installed the socks5-v1.0r8 server, but > > keep seeing the following errors: > > > > Feb 10 09:07:31 pandora Socks5[9147]: Socks5 starting at Wed Feb 10 09:07:31 1999 from inetd > > Feb 10 09:07:31 pandora Socks5[9147]: UDP Proxy Request: (lucia.hh.kew.com:1177) for user thomas > > Feb 10 09:07:31 pandora Socks5[9147]: UDP Proxy Established: (lucia.hh.kew.com:1178) for user thomas > > > > Now, I don't care about the errors per se, but the general functionality of > > the ICQ client behind the firewall is affected by as opposed to on a bare dial > > connection is noticeable, such as server time outs and the like. > > Don't see any errors there. Whoops. I left off the one real error, and didn't show the pattern, which is what I get for being in a hurry this morning: Feb 10 21:09:55 pandora Socks5[11227]: Socks5 starting at Wed Feb 10 21:09:55 1999 from inetd Feb 10 21:09:55 pandora Socks5[11227]: UDP Proxy Request: (minerva.hh.kew.com:1108) for user ahd Feb 10 21:09:55 pandora Socks5[11227]: UDP Proxy Established: (dogbert.hh.kew.com:1109) for user hobbit Feb 10 21:17:14 pandora Socks5[11225]: S5IOCheck: recv failed: Undefined error: 0 Feb 10 21:17:14 pandora Socks5[11225]: UDP Proxy Termination: (natalie.hh.kew.com:2859) for user flopsie; 1485 bytes out 965 bytes in Feb 10 21:17:14 pandora Socks5[11244]: Socks5 starting at Wed Feb 10 21:17:14 1999 from inetd Feb 10 21:17:14 pandora Socks5[11244]: UDP Proxy Request: (natalie.hh.kew.com:2863) for user flopsie Feb 10 21:17:14 pandora Socks5[11244]: UDP Proxy Established: (natalie.hh.kew.com:2864) for user flopsie Feb 10 21:17:36 pandora Socks5[11227]: S5IOCheck: recv failed: Undefined error: 0 Feb 10 21:17:36 pandora Socks5[11227]: UDP Proxy Termination: (dogbert.hh.kew.com:1109) for user hobbit; 1467 bytes out 600 bytes in Feb 10 21:17:36 pandora Socks5[11246]: Socks5 starting at Wed Feb 10 21:17:36 1999 from inetd Feb 10 21:17:37 pandora Socks5[11246]: UDP Proxy Request: (dogbert.hh.kew.com:1111) for user hobbit Feb 10 21:17:37 pandora Socks5[11246]: UDP Proxy Established: (dogbert.hh.kew.com:1112) for user hobbit Feb 10 21:25:56 pandora Socks5[11244]: S5IOCheck: recv failed: Undefined error: 0 Feb 10 21:25:56 pandora Socks5[11244]: UDP Proxy Termination: (natalie.hh.kew.com:2864) for user flopsie; 1821 bytes out 937 bytes in Feb 10 21:25:57 pandora Socks5[11267]: Socks5 starting at Wed Feb 10 21:25:57 1999 from inetd Feb 10 21:25:57 pandora Socks5[11267]: UDP Proxy Request: (natalie.hh.kew.com:2884) for user flopsie Feb 10 21:25:57 pandora Socks5[11267]: UDP Proxy Established: (natalie.hh.kew.com:2885) for user flopsie Thr recv failing is the error, although of course '0' isn't. The pattern is the server restarting every ten minutes or so, even though the timeout is set much higher. > And your logs don't show anything wrong with performance. No. :-) Again, vapor lock. The performance issue is timeouts. > Do you have any packet filtering enabled like ipfw or ipfilter? Yes. I revamped it for ICQ, since I didn't any let UDP ports in except DNS. > Check if it permits > UDP traffic for ICQ. Also check your SOCKS config. Yes, I opened a range of UDP ports of . I have no rejected UDP packets this evening, and I'm watching the packets back and forth to the outside interface with tcpdump. > It should permit > connects (c) and sendto (u). It allows virtually everything; my main security is that the socks port is only run on the inner interface and the port is blocked from the outside world. The file reads: set SOCKS5_BINDINTFC socks.hh.kew.com:1080 set SOCKS5_NOIDENT 1 set SOCKS5_PIDFILE /var/run/socks5 set SOCKS5_UDPPORTRANGE 16000-16999 set SOCKS5_REVERSEMAP 1 set SOCKS5_TIMEOUT 240 auth .hh.kew.com - u permit u - - - - - No doubt the SOCKS5_BINDINTFC is now ignored since for my light load I use inetd. > I run SOCKS5 proxy mostly for permitting ICQ through a firewall and it > works perfectly. No timeouts, nothing wrong with it. Hmmm. My behavior is more like what others reported. The suggestion to go to 99a may be desirable. Are you at that level? -- Drew Derbyshire UUPC/extended e-mail: software@kew.com Telephone: 617-279-9812 Mind Like A Steel Trap: Rusty And Illegal In 37 States To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36C24D39.8D29C578>