Date: Wed, 11 Jul 2007 09:42:22 -0400 From: Stephen Clark <Stephen.Clark@seclark.us> To: viper <viper@perm.raid.ru>, freebsd-stable@freebsd.org Subject: Re: ipfilter 4.13 - http traffic going thru ftp proxy Message-ID: <4694DE3E.1010405@seclark.us> In-Reply-To: <20070711033334.M23816@perm.raid.ru> References: <4693E532.3060902@seclark.us> <20070711033334.M23816@perm.raid.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
viper wrote: >On Tue, 10 Jul 2007 15:59:46 -0400, Stephen Clark wrote > > >>Hello List, >> >>I posted a while ago that our testers of our network appliance were >>complaining >>that browsing was slower when using our appliance based on 6.x as >>compared to >>our appliance using 4.9 FreeBSD. >> >>Well it turns out they were right! After spending much time trying >>to figure out what was going on we discovered that all http traffic >>was being routed thru the ipf ftp proxy module. >> >>Does anyone know why this is happening? >>******************************************************************************** >>Here is 4.9 >>******************************************************************************** >>H101491# ipnat -l >>List of active MAP/Redirect filters: >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 proxy port ftp ftp/tcp >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 portmap tcp/udp >>40000:60000 >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 >> >>List of active sessions: >>MAP 192.168.1.9 2949 <- -> 10.0.133.44 40075 [64.154.83.47 80] >>MAP 192.168.1.9 2948 <- -> 10.0.133.44 40074 [209.67.78.5 >>80] MAP 192.168.1.9 2947 <- -> 10.0.133.44 40073 >>[216.168.252.103 443] MAP 192.168.1.9 2946 <- -> 10.0.133.44 >> 40072 [65.243.74.133 80] MAP 192.168.1.9 2945 <- -> >>10.0.133.44 40071 [216.168.252.103 443] MAP 192.168.1.9 2944 >> <- -> 10.0.133.44 40070 [66.155.171.116 80] MAP 192.168.1.9 >>2943 <- -> 10.0.133.44 40069 [64.9.212.6 80] MAP 192.168.1.9 >> 2942 <- -> 10.0.133.44 40068 [209.104.135.123 80] MAP >>192.168.1.9 2941 <- -> 10.0.133.44 40067 [65.243.74.133 80] >>MAP 192.168.1.9 2940 <- -> 10.0.133.44 40066 [65.243.74.133 >>80] MAP 192.168.1.9 2939 <- -> 10.0.133.44 40065 >>[65.243.74.133 80] MAP 192.168.1.9 2938 <- -> 10.0.133.44 >>40064 [216.239.51.95 80] MAP 192.168.1.9 2924 <- -> 10.0.133.44 >> 40050 [64.233.169.99 80] MAP 192.168.1.9 2922 <- -> >>10.0.133.44 40048 [64.233.169.99 80] MAP 192.168.1.9 2920 <- >> -> 10.0.133.44 40046 [64.233.169.147 80] MAP 192.168.1.9 >> 1031 <- -> 10.0.133.44 40045 [198.6.1.2 53] MAP 192.168.1.9 >> 2884 <- -> 10.0.133.44 40012 [207.159.120.157 80] >> >> >> >> >************************************************************************************ > > >>Here is 6.2 >>Notice in the mappings for port 80 the source port is not being >>mapped into the 40000:60000 range. Also notice that the ftp proxy >>thought it found something and dumps out some diags. >> >> >************************************************************************************ > > >>H101490# ipnat -l >>List of active MAP/Redirect filters: >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 proxy port ftp ftp/tcp >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 portmap tcp/udp >>40000:60000 >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 >> >>List of active sessions: >>MAP 192.168.1.88 1397 <- -> 10.0.133.77 1397 [64.154.83.47 80] >>MAP 192.168.1.88 1396 <- -> 10.0.133.77 1396 [209.67.78.5 >>80] MAP 192.168.1.88 1395 <- -> 10.0.133.77 1395 >> [216.168.252.103 443] MAP 192.168.1.88 1394 <- -> 10.0.133.77 >> 1394 [216.168.252.103 443] MAP 192.168.1.88 1393 <- -> >>10.0.133.77 1393 [65.243.74.144 80] MAP 192.168.1.88 1392 <- >> -> 10.0.133.77 1392 [65.243.74.144 80] MAP 192.168.1.88 >>1378 <- -> 10.0.133.77 1378 [64.233.169.103 80] proxy >>ftp/6 use -54 flags 0 proto 6 flags 0 bytes 0 pkts 0 >>data YES size 312 FTP Proxy: passok: 1 Client: >> seq 0 (ack 0) len 0 junk 0 cmds 0 >> buf [\000] >> Server: >> seq 2b451493 (ack 0) len 0 junk 0 cmds 0 >> buf [\000] >>MAP 192.168.1.88 1391 <- -> 10.0.133.77 1391 [65.205.8.52 >>80] MAP 192.168.1.88 1390 <- -> 10.0.133.77 1390 >> [65.203.229.71 80] MAP 192.168.1.88 1389 <- -> 10.0.133.77 >> 1389 [72.247.8.26 80] MAP 192.168.1.88 1388 <- -> 10.0.133.77 >> 1388 [216.239.51.93 80] MAP 192.168.1.88 1033 <- -> >>10.0.133.77 40000 [198.6.1.2 53] >> >>-- >> >>"They that give up essential liberty to obtain temporary safety, >>deserve neither liberty nor safety." (Ben Franklin) >> >>"The course of history shows that as a government grows, liberty >>decreases." (Thomas Jefferson) >> >> >> >Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32 proxy port >21 ftp/tcp" >It`s feature. >_______________________ >Best regards, >VipeR > > > > Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32 proxy port 21 ftp/tcp" you know this works but if I use the same line but use "proxy port ftp" instead of "proxy port 21" I get: map rl1 from 192.168.1.0/24 to any port = 5376 -> 10.0.133.77/32 proxy port 5376 ftp/tcp Go figure. -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4694DE3E.1010405>