From owner-freebsd-questions  Tue Oct 22  1:25:11 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 021CF37B401
	for <questions@freebsd.org>; Tue, 22 Oct 2002 01:25:10 -0700 (PDT)
Received: from lv.raad.tartu.ee (lv.raad.tartu.ee [194.126.106.110])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3889F43E3B
	for <questions@freebsd.org>; Tue, 22 Oct 2002 01:25:08 -0700 (PDT)
	(envelope-from toomas.aas@raad.tartu.ee)
Received: Message by Barricade lv.raad.tartu.ee  with ESMTP id g9M8P1214785
	for <questions@freebsd.org>; Tue, 22 Oct 2002 11:25:01 +0300
Message-Id: <200210220825.g9M8P1214785@lv.raad.tartu.ee>
Received: from SpoolDir by INFO (Mercury 1.48); 22 Oct 02 11:24:18 +0300
From: "Toomas Aas" <toomas.aas@raad.tartu.ee>
Organization: Tartu City Government
To: questions@freebsd.org
Date: Tue, 22 Oct 2002 11:24:16 +0300
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: IPFilter and Apache
X-info: Headers changed by Barricade
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello!

I tried searching freebsd and ipfilter mailing list archives, but 
didn't find the answer to my question.

I'm running Apache 1.3.27 web server on FreeBSD 4.6.1-RELEASE-p10 (all 
security patches applied). I also use IPFilter on this machine to block 
unwanted traffic.

To let the world see my web, I use this IPFilter rule in the ruleset:

pass in quick on fxp0 proto tcp from any to 194.126.106.98 port = 80
flags S keep state keep frags

Everything seems to be working OK and I haven't heard any complaints 
about the web server being unreachable, but still I see a lot of 
blocked traffic on port 80. For example:

... most commonly, incoming packets with AF flags ...
Oct 17 17:22:53 heerold ipmon[51]: 17:22:52.119983 2x fxp0 @0:22 b
195.250.169.2 2,1070 -> 194.126.106.98,80 PR tcp len 20 40 -AF IN

... sometimes incoming packets with R flag ...
Oct 17 18:10:11 heerold ipmon[51]: 18:10:11.223164 fxp0 @0:22 b
195.250.169.22,1064 -> 194.126.106.98,80 PR tcp len 20 40 -R IN

... and ocasionally even outgoing packets! ...
Oct 18 08:38:05 heerold ipmon[51]: 08:38:05.086333 fxp0 @0:32 b
194.126.106.98,80 -> 213.219.109.38,62481 PR tcp len 20 44 -AS OUT

The goal of my ruleset is, of course, to let through the minimum needed 
for Apache to work correctly and block the bogus packets even if they 
are destined for port 80. However, the amount of blocked packets leads 
me to think that the ruleset might be too strict.

What would be the correct things to let through on port 80 for Apache 
to work correctly?
--
Toomas Aas | toomas.aas@raad.tartu.ee | http://www.raad.tartu.ee/~toomas/
* Radioactive cats have 18 half-lives.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message