oops, sorry bout that, was a long nite last nite... got my ports all
fuxored
as for why they are getting blocked:
dont modulate state, keep state on the https
this works for me
as for the why:
not sure, my guess is it has something to do with the duration of time.
since modulate state changes the sequence numbers, if the connection loses
state (they write a really long email), then the sequence will not be
found when trying to match and thus need to re-init the connection (but i
would also think the same would happen when keep state is dropped)
(i am no expert, and that explanation is very suspect, and im sure someone
else can explain it better) the blind leading the blind...
scott
On Wed, 19 Mar 2003, Sid Keller wrote:
> This box contains both the web and email server. Our employees only
> access the email server via a web client through https (port 443, ms sql
> server is 1433 and 1434). Everyone can connect however some people get
> a "Page cannot be displayed" message with Internet Explorer when trying
> to send an email. I think this is happening because pf is blocking some
> of the port 443 traffic and I don't know why.
>
> Thanks,
>
> Sid
>
>
> [EMAIL PROTECTED] wrote:
> > port 443 (ms sql server traffic) is being blocked because you dont have a
> > rule to pass it in
> >
> > your ruleset allows only smtp, ssh, and https to come in, everything else
> > is being blocked
> >
> > is that the only "problem" you are having? or is the email not functioning
> > properly either?
> >
> >
> >
> > scott
> >
> >
> > On Tue, 18 Mar 2003, Sid Keller wrote:
> >
> >
> >>I having some problems with my rulesets for an email server. The server
> >>is not behind a firewall but I have pf enabled on the server. Here is
> >>my ruleset.
> >>
> >>###############################################################################
> >>#----------------------------------------------------------
> >># Variable Section
> >>#----------------------------------------------------------
> >>int_if="fxp0"
> >>nonroute="{ 192.168.1.0/24, 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8,
> >>0.0.0.0/8 }"
> >>approved_mgmt_net="{ x.x.x.x }"
> >>server_ip="{ x.x.x.x }"
> >>#************************************************************************
> >>#************************************************************************
> >># Firewall Rulebase Begin
> >>#************************************************************************
> >>#************************************************************************
> >>#
> >>#----------------------------------------------------------
> >># Packet Normalization (deny fragmented packets)
> >>#----------------------------------------------------------
> >>scrub in all
> >>#----------------------------------------------------------
> >># Default Deny
> >>#----------------------------------------------------------
> >>block in log all
> >>#----------------------------------------------------------
> >># Allow Loopback Packets
> >>pass in quick on lo0 all
> >>pass out quick on lo0 all
> >>#----------------------------------------------------------
> >># Drop Spoofed Packets
> >>#----------------------------------------------------------
> >>block in log quick on $int_if from $nonroute to any
> >>block out log quick on $int_if from any to $nonroute
> >>#----------------------------------------------------------
> >># Drop wrong TCP Flags
> >>#----------------------------------------------------------
> >>block in quick on $int_if inet proto tcp from any to any flags FUP/FUP
> >>#----------------------------------------------------------
> >>#----------------------------------------------------------
> >># Firewall RULES
> >>#----------------------------------------------------------
> >>pass in quick on $int_if inet proto tcp from $approved_mgmt_net to
> >>$server_ip port ssh
> >>pass in quick on $int_if inet proto tcp from any to $server_ip port
> >>https flags S/SA modulate state
> >>pass in quick on $int_if inet proto tcp from any to $server_ip port {
> >>smtp } flags S/SA modulate state
> >>#----------------------------------------------------------
> >># Allow Return Traffic and Connection From Firewall
> >>#----------------------------------------------------------
> >>pass out on $int_if inet proto { tcp, udp, icmp } all keep state
> >>
> >>Here is a snippet from my pflog file using tcpdump -n -e -ttt.
> >>
> >>Mar 07 10:58:10.177507 rule 1/0(match): block in on fxp0:
> >>user.ip.address.1501 > my.ip.address.443: F 71818460:71818460(0) ack
> >>3194040235 win 5549 (DF)
> >>Mar 07 10:58:10.183314 rule 1/0(match): block in on fxp0:
> >>user.ip.address.1502 > my.ip.address.443: F 71819657:71819657(0) ack
> >>963312026 win 5549 (DF)
> >> Mar 07 11:52:59.986506 rule 1/0(match): block in on fxp0:
> >>user.ip.address.1586 > my.ip.address.443: R 75169994:75169994(0) win 0 (DF)
> >>Mar 07 11:52:59.990614 rule 1/0(match): block in on fxp0:
> >>user.ip.address.1585 > my.ip.address.443: R 75170656:75170656(0) win 0 (DF)
> >>
> >>I'm curious as to why the above traffic is being block on port 443.
> >>
> >>Thanks for your help. Any other suggestions concerning my ruleset would
> >>be greatly appreciated.
> >>
> >>
> >>--
> >>Sid Keller
> >>
> >>
> >
>
>
