Date: Tue, 6 Jun 2006 10:04:46 +0200 From: "Nicholas von Waltsleben" <nicv@korbitec.com> To: <freebsd-questions@freebsd.org> Subject: ipf blocking packets from proxy servers Message-ID: <E948674FCA7E37459C2967DC72DBB35201E9C89A@Exchange.korbitec.int>
next in thread | raw e-mail | index | archive | help
Hi list, I have been running FreeBSD servers as firewalls for several years now and recently installed a new 6.1 server (6.1-RELEASE FreeBSD 6.1-RELEASE #1) in the place of a 5.4 box that I had installed last year. Since replacing the box my users have had connection problems with their SOAP applications hosted behind the firewall. The symptoms were applications hanging intermittently and massive delays in transactions (up to 2 minutes or more). I eventually realised that this only happened when the users were using our Squid proxy server so I had our Windows admin bloke change the group policy to allow them to bypass the proxy when connecting to the servers. Problem solved I thought... Wrong, now some of our clients are having the same problems and, guess what, they too are using Squid proxies. I have been doing some digging this morning and noticed the following while running ipmon. 06/06/2006 09:19:41.056085 STATE:NEW 165.165.192.80,65431 -> 196.7.156.157,80 PR tcp 06/06/2006 09:19:41.557534 STATE:NEW 165.165.192.80,52159 -> 196.7.156.157,80 PR tcp 06/06/2006 09:19:42.010889 em0 @1:19 b 165.165.192.80,53088 -> 196.7.156.157,80 PR tcp len 20 48 -S IN OOW 06/06/2006 09:19:42.063731 STATE:NEW 165.165.192.80,63975 -> 196.7.156.157,80 PR tcp 06/06/2006 09:19:42.564807 STATE:NEW 165.165.192.80,54989 -> 196.7.156.157,80 PR tcp The 165.x.x.x IP address is from an ADSL line I was using to see what was happening to my packets (I was the only person using the line so it made tcpdumps etc etc easier to interpret). Now here is an extract from my ipfstat -ni @2 block in quick on em0 all head 1 ... @10 pass in quick on em0 proto tcp from any to 196.7.156.157/32 port =3D http keep state keep frags group 1 ... @19 block in log quick on em0 all group 1 And finally my question: If rule 10 specifically allows all traffic to 196.7.156.157 on port 80 why are packets being blocked? Sorry if this is an extremely noob question and I have overlooked something obvious. I will of course be researching this in the meantime but if anyone could shed some light on this matter I would greatly appreaciate it. Regards, Nicholas von Waltsleben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E948674FCA7E37459C2967DC72DBB35201E9C89A>