On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote:
On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote:
On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote:
On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote:
On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:
On 2008-09-22, Parvinder Bhasin <[EMAIL PROTECTED]>
wrote:
I have users that can access the website fine (75.44.229.18) and
some
user that complain they can't access it.
Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any output
from around the time of a failed connection. Include the relevant
state table entries from pfctl -vss.
Here is the output from pfctl -vss - with the host(75.18.177.36)
trying
to access the website:
Please do that again, but grep only the relevant bits. I'm not
going
to
sift through all the noise.
$ sudo pfctl -ss | grep 75.18.177.36
I'm pretty sure your outbound nat needs to be moved *after* your
rdr's.
I think the inbound traffic is having the src_addr translated to
your
firewall's ($ext_if)
Jason,
Here it is without the noise.
# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 <- 75.44.229.18:80 <- 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 -> 172.16.10.11:80
ESTABLISHED:SYN_SENT
# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 <- 75.44.229.18:80 <- 75.18.177.36:1056
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1056 -> 172.16.10.11:80
ESTABLISHED:SYN_SENT
Looks ok. Let's see the output of `pfctl -sr` and `pfctl -sn`. Also,
let's correlate your states to the logged blocks. In separate
terminals, do the `pfctl -ss | grep <foo>` and then find the
corresponding traffic in pflog0 that's being blocked. Let's see them
both.
# pfctl -sr
scrub in all fragment reassemble
block return in log (all) all
pass out all flags S/SA keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any
block drop in quick inet from 172.16.10.10 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to any
pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www
flags S/SA keep state
pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh
flags S/SA keep state
pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on fxp0 all flags S/SA keep state
# pfctl -sn
nat on fxp1 from ! (fxp1) to any -> (fxp1:0)
nat-anchor "ftp-proxy/*" all
rdr-anchor "ftp-proxy/*" all
rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www ->
172.16.10.11 port 80
rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 ->
172.16.10.12 port 3128
# pfctl -ss | grep 75.18.177.36
all tcp 172.16.10.11:80 <- 75.44.229.18:80 <- 75.18.177.36:1057
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1057 -> 172.16.10.11:80 ESTABLISHED:SYN_SENT
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/