RE: Vexing IPF problem
1. Best thing is scrap your firewall rules and use the IPF rules listed in the firewall/ipfilter section of the official handbook. 2. There are a lot of spoof packets using port 80 on the public internet and that may be what you are seeing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of DH Sent: Friday, June 17, 2005 11:13 AM To: freebsd-questions@freebsd.org Subject: Vexing IPF problem I'm having a problem with IPF blocking packets that appear should be let through. I've sent quite a bit of time going through the Handbook, man pages, etc I must be missing something so any help is greatly appriciated. uname -a freebsd 4.11-release #0 SMP kernel, dual PIII processor, 512 MB ECC RAM, SCSI HDs execerpt from rule set: Kernel compiled with default allow until I finish getting the ruleset rewritten. Rule #1 block in log from any to any pass in quick on lo0 pass out quick on lo0 block in log quick on fxp0 from any to any with ipopts block in log quick proto tcp from any to any with short ... pass in log first proto tcp from any to any port = 80 flags S keep state pass in log first proto tcp from any port = 80 to any flags S keep state pass out log first proto tcp from any to any port = 80 flags S keep state netstat -m = 129/576/16384 9% of mb_map in use Proxy Server - Squid 2.5.stable10 The behavior I'm seeing is out going connections to websites on port 80 are being passed but the in bound traffic is being blocked. The ipflog entries look like this: my ip = s theirs = d @0:390 p s.s.s.s,3601 - d.d.d.d,80 PR tcp len 20 60 -S K-S OUT @0:1 b d.d.d.d,80 - s.s.s.s,3601 PR tcp len 20 43 -AR IN Thanks in advance to those giving their time to lend a hand, I know you time is valuable. Please CC my address in your reply. David Hutchens III Network Technician - Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Vexing IPF problem
Hello David, Im not expert on IPF but on first inspeciton it would look like the problem is in your first fxp0 rule: block in log quick on fxp0 from any to any with ipopts To the best of my knowledge when quick is added the firewall does not look at any of the other rules. If this is the case having quick in the above rule would cause the firewall to block every incoming packet. Hope this helps John --- DH [EMAIL PROTECTED] wrote: I'm having a problem with IPF blocking packets that appear should be let through. I've sent quite a bit of time going through the Handbook, man pages, etc I must be missing something so any help is greatly appriciated. uname -a freebsd 4.11-release #0 SMP kernel, dual PIII processor, 512 MB ECC RAM, SCSI HDs execerpt from rule set: Kernel compiled with default allow until I finish getting the ruleset rewritten. Rule #1 block in log from any to any pass in quick on lo0 pass out quick on lo0 block in log quick on fxp0 from any to any with ipopts block in log quick proto tcp from any to any with short ... pass in log first proto tcp from any to any port = 80 flags S keep state pass in log first proto tcp from any port = 80 to any flags S keep state pass out log first proto tcp from any to any port = 80 flags S keep state netstat -m = 129/576/16384 9% of mb_map in use Proxy Server - Squid 2.5.stable10 The behavior I'm seeing is out going connections to websites on port 80 are being passed but the in bound traffic is being blocked. The ipflog entries look like this: my ip = s theirs = d @0:390 p s.s.s.s,3601 - d.d.d.d,80 PR tcp len 20 60 -S K-S OUT @0:1 b d.d.d.d,80 - s.s.s.s,3601 PR tcp len 20 43 -AR IN Thanks in advance to those giving their time to lend a hand, I know you time is valuable. Please CC my address in your reply. David Hutchens III Network Technician - Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Vexing IPF problem
Nuke pave unfortunately is not a desireable option - there are a hair over 1k rules in the total rule set ( 99 % are address blocks of evil doers ). I'm observing the blocking behavior relative to addresses that are not specifically blocked. Looking at the log entries it looks as though the inbound ACK packet gets dropped after the ogoing connection request is made. Thank You for your rsvp. David Hutchens III Network Technician fbsd_user [EMAIL PROTECTED] wrote: 1. Best thing is scrap your firewall rules and use the IPF rules listed in the firewall/ipfilter section of the official handbook. 2. There are a lot of spoof packets using port 80 on the public internet and that may be what you are seeing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of DH Sent: Friday, June 17, 2005 11:13 AM To: freebsd-questions@freebsd.org Subject: Vexing IPF problem I'm having a problem with IPF blocking packets that appear should be let through. I've sent quite a bit of time going through the Handbook, man pages, etc I must be missing something so any help is greatly appriciated. uname -a freebsd 4.11-release #0 SMP kernel, dual PIII processor, 512 MB ECC RAM, SCSI HDs execerpt from rule set: Kernel compiled with default allow until I finish getting the ruleset rewritten. Rule #1 block in log from any to any pass in quick on lo0 pass out quick on lo0 block in log quick on fxp0 from any to any with ipopts block in log quick proto tcp from any to any with short ... pass in log first proto tcp from any to any port = 80 flags S keep state pass in log first proto tcp from any port = 80 to any flags S keep state pass out log first proto tcp from any to any port = 80 flags S keep state netstat -m = 129/576/16384 9% of mb_map in use Proxy Server - Squid 2.5.stable10 The behavior I'm seeing is out going connections to websites on port 80 are being passed but the in bound traffic is being blocked. The ipflog entries look like this: my ip = s theirs = d @0:390 p s.s.s.s,3601 - d.d.d.d,80 PR tcp len 20 60 -S K-S OUT @0:1 b d.d.d.d,80 - s.s.s.s,3601 PR tcp len 20 43 -AR IN Thanks in advance to those giving their time to lend a hand, I know you time is valuable. Please CC my address in your reply. David Hutchens III Network Technician - Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] David Hutchens III Network Technician DRS Surveillance Support Systems - A division of DRS Technologies. - Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Vexing IPF problem
David, If you just REM'd the ipopts rule the firewall will stop at the next line: block in log quick proto tcp from any to any with short Try commenting out both these lines as the quick in the second rule would also cause the firewall to reject incoming traffic. Using quick tells the firewall to stop traversing the rule set. In this case it will have read the above rule and ignored the other in rules. Hope this helps, John --- DH [EMAIL PROTECTED] wrote: Hello John, The opts rule is actually rule # 4 - Rule #1 is: block in log from any to any and the log indicates the return packet is getting blocked at rule 1: [EMAIL PROTECTED]:1. Just for the heck of it I did try your suggestion REM'd out the ipopts rule but this had no effect. Thanks for the rsvp David Hutchens III Network Technician John Conner [EMAIL PROTECTED] wrote: Hello David, Im not expert on IPF but on first inspeciton it would look like the problem is in your first fxp0 rule: block in log quick on fxp0 from any to any with ipopts To the best of my knowledge when quick is added the firewall does not look at any of the other rules. If this is the case having quick in the above rule would cause the firewall to block every incoming packet. Hope this helps John --- DH wrote: I'm having a problem with IPF blocking packets that appear should be let through. I've sent quite a bit of time going through the Handbook, man pages, etc I must be missing something so any help is greatly appriciated. uname -a freebsd 4.11-release #0 SMP kernel, dual PIII processor, 512 MB ECC RAM, SCSI HDs execerpt from rule set: Kernel compiled with default allow until I finish getting the ruleset rewritten. Rule #1 block in log from any to any pass in quick on lo0 pass out quick on lo0 block in log quick on fxp0 from any to any with ipopts block in log quick proto tcp from any to any with short ... pass in log first proto tcp from any to any port = 80 flags S keep state pass in log first proto tcp from any port = 80 to any flags S keep state pass out log first proto tcp from any to any port = 80 flags S keep state netstat -m = 129/576/16384 9% of mb_map in use Proxy Server - Squid 2.5.stable10 The behavior I'm seeing is out going connections to websites on port 80 are being passed but the in bound traffic is being blocked. The ipflog entries look like this: my ip = s theirs = d @0:390 p s.s.s.s,3601 - d.d.d.d,80 PR tcp len 20 60 -S K-S OUT @0:1 b d.d.d.d,80 - s.s.s.s,3601 PR tcp len 20 43 -AR IN Thanks in advance to those giving their time to lend a hand, I know you time is valuable. Please CC my address in your reply. David Hutchens III Network Technician - Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ How much free photo storage do you get? Store your holiday snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Vexing IPF problem
On Fri, 17 Jun 2005 08:12:45 -0700 (PDT) DH [EMAIL PROTECTED] wrote: I'm having a problem with IPF blocking packets that appear should be let through. I've sent quite a bit of time going through the Handbook, man pages, etc I must be missing something so any help is greatly appriciated. uname -a freebsd 4.11-release #0 SMP kernel, dual PIII processor, 512 MB ECC RAM, SCSI HDs execerpt from rule set: Kernel compiled with default allow until I finish getting the ruleset rewritten. Rule #1 block in log from any to any pass in quick on lo0 pass out quick on lo0 block in log quick on fxp0 from any to any with ipopts block in log quick proto tcp from any to any with short ... pass in log first proto tcp from any to any port = 80 flags S keep state pass in log first proto tcp from any port = 80 to any flags S keep state pass out log first proto tcp from any to any port = 80 flags S keep state netstat -m = 129/576/16384 9% of mb_map in use Proxy Server - Squid 2.5.stable10 The behavior I'm seeing is out going connections to websites on port 80 are being passed but the in bound traffic is being blocked. The ipflog entries look like this: my ip = s theirs = d @0:390 p s.s.s.s,3601 - d.d.d.d,80 PR tcp len 20 60 -S K-S OUT @0:1 b d.d.d.d,80 - s.s.s.s,3601 PR tcp len 20 43 -AR IN Thanks in advance to those giving their time to lend a hand, I know you time is valuable. Please CC my address in your reply. David Hutchens III Network Technician - Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Any reason you avoid 'quick' keywords in rules around 390 ? Also, from my vague memory 'first' should not be necessary with 'quick'. horio shoichi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
