Date: Thu, 12 Jul 2007 10:15:18 +0600 From: "viper" <viper@perm.raid.ru> To: Stephen.Clark@seclark.us,freebsd-stable@freebsd.org Subject: Re: ipfilter 4.13 - http traffic going thru ftp proxy Message-ID: <20070712041323.M91738@perm.raid.ru> In-Reply-To: <4694DE3E.1010405@seclark.us> References: <4693E532.3060902@seclark.us> <20070711033334.M23816@perm.raid.ru> <4694DE3E.1010405@seclark.us>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 11 Jul 2007 09:42:22 -0400, Stephen Clark wrote > viper wrote: > > >On Tue, 10 Jul 2007 15:59:46 -0400, Stephen Clark wrote > > > > > >>Hello List, > >> > >>I posted a while ago that our testers of our network appliance were > >>complaining > >>that browsing was slower when using our appliance based on 6.x as > >>compared to > >>our appliance using 4.9 FreeBSD. > >> > >>Well it turns out they were right! After spending much time trying > >>to figure out what was going on we discovered that all http traffic > >>was being routed thru the ipf ftp proxy module. > >> > >>Does anyone know why this is happening? > >>******************************************************************************** > >>Here is 4.9 > >>******************************************************************************** > >>H101491# ipnat -l > >>List of active MAP/Redirect filters: > >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 proxy port ftp ftp/tcp > >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 portmap tcp/udp > >>40000:60000 > >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 > >> > >>List of active sessions: > >>MAP 192.168.1.9 2949 <- -> 10.0.133.44 40075 [64.154.83.47 80] > >>MAP 192.168.1.9 2948 <- -> 10.0.133.44 40074 [209.67.78.5 > >>80] MAP 192.168.1.9 2947 <- -> 10.0.133.44 40073 > >>[216.168.252.103 443] MAP 192.168.1.9 2946 <- -> 10.0.133.44 > >> 40072 [65.243.74.133 80] MAP 192.168.1.9 2945 <- -> > >>10.0.133.44 40071 [216.168.252.103 443] MAP 192.168.1.9 2944 > >> <- -> 10.0.133.44 40070 [66.155.171.116 80] MAP 192.168.1.9 > >>2943 <- -> 10.0.133.44 40069 [64.9.212.6 80] MAP 192.168.1.9 > >> 2942 <- -> 10.0.133.44 40068 [209.104.135.123 80] MAP > >>192.168.1.9 2941 <- -> 10.0.133.44 40067 [65.243.74.133 80] > >>MAP 192.168.1.9 2940 <- -> 10.0.133.44 40066 [65.243.74.133 > >>80] MAP 192.168.1.9 2939 <- -> 10.0.133.44 40065 > >>[65.243.74.133 80] MAP 192.168.1.9 2938 <- -> 10.0.133.44 > >>40064 [216.239.51.95 80] MAP 192.168.1.9 2924 <- -> 10.0.133.44 > >> 40050 [64.233.169.99 80] MAP 192.168.1.9 2922 <- -> > >>10.0.133.44 40048 [64.233.169.99 80] MAP 192.168.1.9 2920 <- > >> -> 10.0.133.44 40046 [64.233.169.147 80] MAP 192.168.1.9 > >> 1031 <- -> 10.0.133.44 40045 [198.6.1.2 53] MAP 192.168.1.9 > >> 2884 <- -> 10.0.133.44 40012 [207.159.120.157 80] > >> > >> > >> > >> > >************************************************************************************ > > > > > >>Here is 6.2 > >>Notice in the mappings for port 80 the source port is not being > >>mapped into the 40000:60000 range. Also notice that the ftp proxy > >>thought it found something and dumps out some diags. > >> > >> > >************************************************************************************ > > > > > >>H101490# ipnat -l > >>List of active MAP/Redirect filters: > >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 proxy port ftp ftp/tcp > >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 portmap tcp/udp > >>40000:60000 > >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 > >> > >>List of active sessions: > >>MAP 192.168.1.88 1397 <- -> 10.0.133.77 1397 [64.154.83.47 80] > >>MAP 192.168.1.88 1396 <- -> 10.0.133.77 1396 [209.67.78.5 > >>80] MAP 192.168.1.88 1395 <- -> 10.0.133.77 1395 > >> [216.168.252.103 443] MAP 192.168.1.88 1394 <- -> 10.0.133.77 > >> 1394 [216.168.252.103 443] MAP 192.168.1.88 1393 <- -> > >>10.0.133.77 1393 [65.243.74.144 80] MAP 192.168.1.88 1392 <- > >> -> 10.0.133.77 1392 [65.243.74.144 80] MAP 192.168.1.88 > >>1378 <- -> 10.0.133.77 1378 [64.233.169.103 80] proxy > >>ftp/6 use -54 flags 0 proto 6 flags 0 bytes 0 pkts 0 > >>data YES size 312 FTP Proxy: passok: 1 Client: > >> seq 0 (ack 0) len 0 junk 0 cmds 0 > >> buf [\000] > >> Server: > >> seq 2b451493 (ack 0) len 0 junk 0 cmds 0 > >> buf [\000] > >>MAP 192.168.1.88 1391 <- -> 10.0.133.77 1391 [65.205.8.52 > >>80] MAP 192.168.1.88 1390 <- -> 10.0.133.77 1390 > >> [65.203.229.71 80] MAP 192.168.1.88 1389 <- -> 10.0.133.77 > >> 1389 [72.247.8.26 80] MAP 192.168.1.88 1388 <- -> 10.0.133.77 > >> 1388 [216.239.51.93 80] MAP 192.168.1.88 1033 <- -> > >>10.0.133.77 40000 [198.6.1.2 53] > >> > >>-- > >> > >>"They that give up essential liberty to obtain temporary safety, > >>deserve neither liberty nor safety." (Ben Franklin) > >> > >>"The course of history shows that as a government grows, liberty > >>decreases." (Thomas Jefferson) > >> > >> > >> > >Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32 proxy port > >21 ftp/tcp" > >It`s feature. > >_______________________ > >Best regards, > >VipeR > > > > > > > > > > Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32 > proxy port 21 ftp/tcp" > > you know this works but if I use the same line but use "proxy port ftp" > instead of "proxy port 21" I get: > map rl1 from 192.168.1.0/24 to any port = 5376 -> 10.0.133.77/32 > proxy port 5376 ftp/tcp > > Go figure. Again, this is known feature. The truth is similar to the bug. _______________________ Best regards, VipeR
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070712041323.M91738>