[Shorewall-users] Shorewall Dropping packets from IE 6 and higher ...

[Joerg Mertin]

Hia folks,

I have setup my own firewall using the Shoreline Firewall.
Now - I have identified that users using the IE 6 or 7 get dropped quite
fast by my system.
As a little Explanation:
Firewall is a Lex-Mini ITX System, 3 ethernet 100/10, 1 USB Wlan, 1 USB
ADSL Modem connected. I'm using Busybox to boot the system, e.g. to copy
the Root-FS from a CF-Card to a Ram-FS, before the system initialises.
Shoreline Firewall is setup to block everything - and logging is done
using the ulogd extension to a remote Mysql Database inside the Service
Network (Some people also know this as DMZ - but this term is wrong for
this).
The Ulog Daemon will store the tagged packets by shorewall as beeing
rejected, dropped or accepted, depending on the per interface policy I
have set up.
Now - as I don't like people to scan my systems - I have written a little
Daemon that watches the mysql-Ulog DB for dropped packets, initialises a
counter - and every site that produces a certain number of dropped packets
- get's marked as Blacklisted, and the firewall adds this site in a matter
of 1/minute to the shorewall dynamic blacklist.

Now - the Internet Explorer 6 or 7 produces strange packets - that the
shorewall system dropps immediatly - this users using the IE 6 or 7 get
blacklisted fast...

IMHO - I don't mind blocking people using M$ Software out of my site - but
I'm interested as to why the system drops these packets... And the point
is - I don't know why this happens ...

OK - here is a clean entry:
  oob_time_sec       2007-05-16 17:46:58
  oob_time_usec       15754
  oob_prefix       Shorewall:world_dnat:DNAT:
  oob_in       ppp0
  ip_saddr       83.171.189.186
  ip_daddr       212.114.251.235
  ip_protocol       6
  ip_ttl       126
  ip_totlen       52
  ip_ihl       5
  ip_csum       2876
  ip_id       4036
  ip_fragoff       16384
  tcp_sport       49506
  tcp_dport       80
  tcp_seq       3710813843
  tcp_window       8192
  tcp_syn       1

And now the one the firewall has dropped:
  oob_time_sec       2007-05-16 17:47:01
  oob_time_usec       130066
  oob_prefix       Shorewall:world2fw:DROP:
  oob_in       ppp0
  ip_saddr       83.171.189.186
  ip_daddr       212.114.251.235
  ip_protocol       6
  ip_ttl       126
  ip_totlen       52
  ip_ihl       5
  ip_csum       2833
  ip_id       4079
  ip_fragoff       16384
  tcp_sport       49516
  tcp_dport       80
  tcp_seq       4235568596
  tcp_window       8192
  tcp_syn       1

It seems that this packet is not identified as having to be forwarded to
the Webserver behind - but as the destination would be the firewall
itself. Which is IMHO odd ...
I have asked a friend to access my site and captured the requests. The IE
request produced a Dropped packet, the Firefox not... So i could send
these in if anyone is interested (I attached the IE-capture to this Mail).
You can identify the requests by checking the sourceports in the pcap-file
(using ethereal or wireshark)...

Have you seen this before ? Note that this happens only with Microsoft
Internet Explorer since version 6 and later ...
All other browsers have no issues ...


I am using Shorewall 3.2.4-1 on an Ubuntu 6.06.1 LTS based system.

Thx for your Time ;)
PS: I prefere not to send the shorewall dump to the list - can be missused
by people accessing the archives - as the entire network infrastructure
can be read out of it. Anyone who is si kind to help me - let me know -
I'll send you the dump. Thx.

-- 
------------------------------------------------------------------------
| Joerg Mertin              :  [EMAIL PROTECTED]                (Home)|
| in Forchheim/Germany      :  [EMAIL PROTECTED]                  (Alt1)|
| Stardust's LiNUX System   :                                          |
| Web: http://www.solsys.org                                           |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A

Title: Stargate - The Gate to the Stars

Ôò¡ÿÿqp'KFy"[EMAIL PROTECTED]>ß € +J¬


p'[EMAIL PROTECTED]>ß!€Ѝz¬


p'KFg88E([EMAIL PROTECTED]>ß!8Jn«P
äp'[EMAIL PROTECTED] MS«½ºÔrûëÁZP¡>ß!8Jn«P
ÍGET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, */* Accept-Language: de UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0) Host: www.solsys.org Connection: Keep-Alive Cookie: PHPSESSID=6d87e4b75e522f77da4dafd7964365cb p'KF…¯88E([EMAIL PROTECTED]>á.PÀÜBq'[EMAIL PROTECTED]>á.PÀ¦WHTTP/1.1 200 OK Date: Wed, 16 May 2007 15:46:56 GMT Server: Apache/2.0.55 (Ubuntu) mod_ssl/2.0.55 OpenSSL/0.9.8a Expires: 0 Cache-Control: no-cache, must-revalidate, max_age=0 Pragma: no-cache Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=ISO-8859-1 7733

Login: Pw: If you do not have an account yet Create One.   Why not sign up for an account? [ Home - Links - Forums ] Wednesday, May 16 2007   á.8JzP Ö¦q'[EMAIL PROTECTED]>á.PÀhtd>

Main Menu   Web Links Mailing Lists Your Account About Me    Projects Downloads Forums Mail me Media Database Stats/Tools    System Stats    Troubleshoot    DnsStuff Docs & Links    Module programming    Epia mini-ITX Links Legal Notice Quicklinks   External Links Webmail Gallery index   Existing categories (gals.)   > Diving (2)   > Holiday (1)   > Wedding (2) F.A.Q. index   Common Linux problems CV860A / Lex Light Epia M10000 / Hush Epia SP8000E / Travla Stargate's Backup script Stargate's Budget module Stargate's F.A.Q. processor Starg ate's Image Gallery Stargate's Media Database Stargate's MP3 Streq'[EMAIL PROTECTED]>á.PÀ'[amer Stargate's Webcam module System Statistics interface Webcam index    Net Eye 200 @ Home q'[EMAIL PROTECTED]>á.PÀ¿p MP3 Streamer   No playlist found for Guest ... New Medias   > A sound of Thunder > Léon, the     Professional > Alone in the Dark > Final Call > The Cave System Stats   > Routerq'KF̂88E([EMAIL PROTECTED]>á.8J³P ¿öq'[EMAIL PROTECTED]>á.PÀ·\   * Gateway > Server   * Stargate

Welcome to Stargate   You accessed a private site - and all data found on it is not to be used for any purpose - except if explicitly stated (Software packages under GPL). Spammers and Similar - please "GO AWAY" and leave us alone and do not dare using any information found on these pages for your unethical actions ! DISCLAIMER: The owner of this site takes no responsibility for the content of external site links presented on these pages. á.PÀ5align="bottom"> Stargate got a new home ... Posted by Admin on: Friday 26 January @ 18:10:05   Smurphy writes: "Stargate server got a new home. Actually - it got new/old hardware. The old workstation got the new hardware for the server. It's faster, and will give me the opportunity to set up a dedicated Backup server for private stuff. Anyway - if you find anything strange on the system - feel free to drop me a message." Add Comments |   |  á.8JœP ´žq'KFu1 [EMAIL PROTECTED]>á.PÀÖÚn="middle" alt="Printable Version" />  Stargate Gateway Firewall replaced ... Posted by Admin on: Thursday 23 November @ 22:18:43   Smurphy writes: "A new firewall came into place. same model, only newer... Created a Debian-based router system, booting from an integrated CF card, using busybox and copying the FS onto a Ram-Filesystem. The used Firewall is Shorewall - and the configuration has been defined by me. The system might need some more tuning - but I'm pretty sure that this system will be way more stable than the old version..." Req'KF 2 [EMAIL PROTECTED]>á.PÀZad More... | 648 bytes more | Add Comments |   |    Stargate Gateway Firewall Died ... Posted by Admin on: Wednesday 15 November @ 17:05:10   Smurphy writes: "The Firewall to Stargate died today a Horrible Death - 2 condensators exploded. The system was still live though, after powering off - did q'KFð2 [EMAIL PROTECTED]>á.PÀÅnot come back up. Seems something more happened there. New hardware has been ordered and will probably come in next week. Until then - only limited capability to the system will be enabled. " Read More... | 721 bytes more | Add Comments |   |    New CA Certificates uploaded Posted by Admin on: Monday 31 July @ 12:19:07   A new ssl-certificate has been issued. If you want to let your browser know the CA-Authority (avoid the certificate message) - use this Server-Certificate. Read More... | 194 bytes more |   |    Server modifications ... Posted by Admin on: Wednesday 11 January @ 20:31:31   Smurphy writes: "the Stargate server has had a FAN replaced - and a hole cut into the server-case on the side. Airflow is now way better - and the system is less noisy. Caused some downtime - but the result was worse it."    |    Budget planification   No validated User You can view the About section though. downloads   Docs [1] Icons [1] Networking Tools [2] á.8J²»P îq'KF: [EMAIL PROTECTED]ÔrûëS«½ºPÁZ8JÏ¡>á.PÀ7"g src="" border="0" align="middle"> PHP [4] phpWs 0.8.1 [4] phpWs 0.8.2 [6] Tools [1] 19 files downloaded 14735 times. Who's Online   Welcome Guest! Guest(s)online: 1 No Members are currently logged in. Forum   Last 5 Postings to Forum MenHelper (20/Feb/2007) Re: Reorganize the S... (14/Oct/2002) Re: Reorganize the S... (14/Oct/2002) Re: Reorganize the S... (11/Oct/2002) Re: Reorganize the S... (11/Oct/2002) Past Announcements   á.8J¾P ’–q'KFU)[EMAIL PROTECTED] ÔrûëS«½ºPÁZ8Jà¡>á.PÀÉ®s="normal">December 18 Poweroutage caused downtime December 13 New changes to the Solar System\'s September 21 New hardware finally up and running August 19 Updates on Stargate\'s web page July 27 Harddisk-Crash again ...

Search Stargate

á.PÀ>
lass="smalltextatbottom" style="text-align : center"> Copyright © Joerg Mertin [EMAIL PROTECTED]
This site is best viewed with a resolution of 1280x1024 pixels.

q'KFVÎ88E([EMAIL PROTECTED]>á.8JÉkP
‡>q'[EMAIL PROTECTED]>á.PÀ»0 q'KFzü88E([EMAIL PROTECTED]>á.PÀcÜq'KF:v88E([EMAIL PROTECTED]>á.8JÔÃP
{æq'KF> 88E([EMAIL PROTECTED]>á.8JàP
pŽq'KFÁ 88E([EMAIL PROTECTED]>á.8JçP
ižq'KF‹ 88E([EMAIL PROTECTED]>á.8JçP
i˜q'KFùì 88E([EMAIL PROTECTED]>á.8JçP
i—q'KFgî 88E([EMAIL PROTECTED]>á/PÀcÛq'[EMAIL PROTECTED]@S«½ºÔrûëÁ]P&é઀ ¤¬


q'KF'[EMAIL PROTECTED]&éીÐÒô¬


r'KF®)[EMAIL PROTECTED] ̬


r'[EMAIL PROTECTED] ¬


r'[EMAIL PROTECTED]>S«½ºÔrûëÁaP)GƤ€ »¶¬


r'KF§/[EMAIL PROTECTED])GÆ¥€ÐYg¬


r'KF£188E([EMAIL PROTECTED]&éà«8x¡ËP
)†r'[EMAIL PROTECTED]@?²ÍÔrûëS«½ºPÁ]8x¡Ë&éâtPÀ"
r'KF®l88E([EMAIL PROTECTED]'KFcp88E([EMAIL PROTECTED])GÆ¥7§3ÎP
¯ør'[EMAIL PROTECTED]&éâtPÀ³ÊHTTP/1.0 304 Not Modified Date: Wed, 16 May 2007 15:46:58 GMT Server: Apache/2.0.55 (Ubuntu) mod_ssl/2.0.55 OpenSSL/0.9.8a Connection: close ETag: "4a9d2-e82-6cf478c0" r'KFêv88E(§@@?²ËÔrûëS«½ºPÁ]8x¢z&éâtPÀ!Qr'KF²w88E([EMAIL PROTECTED] ^r'[EMAIL PROTECTED] xS«½ºÔrûëÁ`P„[…89P
€MGET /images/topics/smurphtools.gif HTTP/1.1 Accept: */* Referer: http://www.solsys.org/ Accept-Language: de UA-CPU: x86 Accept-Encoding: gzip, deflate If-Modified-Since: Sun, 27 Jan 2002 13:45:45 GMT; length=2597 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0) Host: www.solsys.org Connection: Keep-Alive Cookie: PHPSESSID=6d87e4b75e522f77da4dafd7964365cb r'KF“¤88E([EMAIL PROTECTED]'[EMAIL PROTECTED]/1.0 304 Not Modified Date: Wed, 16 May 2007 15:46:58 GMT Server: Apache/2.0.55 (Ubuntu) mod_ssl/2.0.55 OpenSSL/0.9.8a Connection: close ETag: "4b35b-a25-2337440" r'KFÝ®88E(@[EMAIL PROTECTED]ÔrûëS«½ºPÁ`89µ„]PPÀ²er'[EMAIL PROTECTED] ~S«½ºÔrûëÁbPÝ.†”8#bP
ý!GET /images/topics/tech.jpg HTTP/1.1 Accept: */* Referer: http://www.solsys.org/ Accept-Language: de UA-CPU: x86 Accept-Encoding: gzip, deflate If-Modified-Since: Sun, 11 Mar 2001 14:46:10 GMT; length=1336 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0) Host: www.solsys.org Connection: Keep-Alive Cookie: PHPSESSID=6d87e4b75e522f77da4dafd7964365cb r'KF÷Ã88E([EMAIL PROTECTED]'[EMAIL PROTECTED] ƒS«½ºÔrûëÁaP)GÆ¥7§3ÎP
°äGET /images/friend.gif HTTP/1.1 Accept: */* Referer: http://www.solsys.org/ Accept-Language: de UA-CPU: x86 Accept-Encoding: gzip, deflate If-Modified-Since: Thu, 25 Oct 2001 21:40:32 GMT; length=101 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0) Host: www.solsys.org Connection: Keep-Alive Cookie: PHPSESSID=6d87e4b75e522f77da4dafd7964365cb r'KFTß88E([EMAIL PROTECTED])GÈcPÀ¨~r'KFhá88E([EMAIL PROTECTED]@S«½ºÔrûëÁ]P&éât8x¢{P
' r'[EMAIL PROTECTED]&ÔrûëS«½ºPÁa7§3Î)GÈcPÀÌfHTTP/1.1 304 Not Modified Date: Wed, 16 May 2007 15:46:58 GMT Server: Apache/2.0.55 (Ubuntu) mod_ssl/2.0.55 OpenSSL/0.9.8a Connection: close ETag: "4b2a0-65-af135400" r'KFYå88E([EMAIL PROTECTED]|)GÈcPÀ§Ïr'KFˆå88E([EMAIL PROTECTED]&éât8x¢{P
'r'KFØæ88E([EMAIL PROTECTED]&éâuPÀ!Pr'[EMAIL PROTECTED] Äú¬


r'[EMAIL PROTECTED]/1.0 304 Not Modified Date: Wed, 16 May 2007 15:46:58 GMT Server: Apache/2.0.55 (Ubuntu) mod_ssl/2.0.55 OpenSSL/0.9.8a Connection: close ETag: "4b2f9-538-515dd080" r'[EMAIL PROTECTED]([EMAIL PROTECTED]'KFs
88E([EMAIL PROTECTED]'KF
88E([EMAIL PROTECTED][EMAIL PROTECTED]'KFÑO
88E([EMAIL PROTECTED](S«½ºÔrûëÁfPà=ÌÀ7ä95P
í=u'[EMAIL PROTECTED] aS«½ºÔrûëÁdPÝUÈ8j¼DP
¶2GET /mod/downloads/images/n.gif HTTP/1.1 Accept: */* Referer: http://www.solsys.org/ Accept-Language: de UA-CPU: x86 Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 23 May 2000 10:24:02 GMT; length=61 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0) Host: www.solsys.org Connection: Keep-Alive Cookie: PHPSESSID=6d87e4b75e522f77da4dafd7964365cb u'KFÓ~
88E([EMAIL PROTECTED]&S«½ºÔrûëÁiPöy Æ8^NnP
„Fu'KFЀ
88E([EMAIL PROTECTED](u'[EMAIL PROTECTED]/1.0 304 Not Modified Date: Wed, 16 May 2007 15:47:01 GMT Server: Apache/2.0.55 (Ubuntu) mod_ssl/2.0.55 OpenSSL/0.9.8a Connection: close ETag: "4a9b9-3d-9e3e1480" u'KFª†
88E([EMAIL PROTECTED]'Òu'[EMAIL PROTECTED] _S«½ºÔrûëÁfPà=ÌÀ7ä95P
omGET /mod/downloads/images/m.gif HTTP/1.1 Accept: */* Referer: http://www.solsys.org/ Accept-Language: de UA-CPU: x86 Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 23 May 2000 10:24:02 GMT; length=66 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0) Host: www.solsys.org Connection: Keep-Alive Cookie: PHPSESSID=6d87e4b75e522f77da4dafd7964365cb u'KFÑ£
88E([EMAIL PROTECTED])IÔrûëS«½ºPÁf7ä95à=ΆPÀå»u'KFb¦
88E([EMAIL PROTECTED]'[EMAIL PROTECTED](šÔrûëS«½ºPÁf7ä95à=ΆPÀÏÏHTTP/1.1 304 Not Modified Date: Wed, 16 May 2007 15:47:01 GMT Server: Apache/2.0.55 (Ubuntu) mod_ssl/2.0.55 OpenSSL/0.9.8a Connection: close ETag: "4a9b8-42-9e3e1480" u'KFƨ
88E([EMAIL PROTECTED])GÔrûëS«½ºPÁf7ä9ãà=ΆPÀåu'[EMAIL PROTECTED] \S«½ºÔrûëÁiPöy Æ8^NnP
sGET /mod/downloads/images/t.gif HTTP/1.1 Accept: */* Referer: http://www.solsys.org/ Accept-Language: de UA-CPU: x86 Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 23 May 2000 10:24:04 GMT; length=71 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0) Host: www.solsys.org Connection: Keep-Alive Cookie: PHPSESSID=6d87e4b75e522f77da4dafd7964365cb u'KF¿Î
88E([EMAIL PROTECTED]|Äu'[EMAIL PROTECTED]:ÒHTTP/1.0 304 Not Modified Date: Wed, 16 May 2007 15:47:01 GMT Server: Apache/2.0.55 (Ubuntu) mod_ssl/2.0.55 OpenSSL/0.9.8a Connection: close ETag: "4a9ba-47-9e5c9900" u'KFdÓ
88E([EMAIL PROTECTED]|u'KF,[EMAIL PROTECTED] [S«½ºÔrûëÁjPÙ´€8µ
KP
ùÄGET /mod/downloads/images/l.gif HTTP/1.1 Accept: */* Referer: http://www.solsys.org/ Accept-Language: de UA-CPU: x86 Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 23 May 2000 10:24:02 GMT; length=67 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0) Host: www.solsys.org Connection: Keep-Alive Cookie: PHPSESSID=6d87e4b75e522f77da4dafd7964365cb u'KFèé
88E([EMAIL PROTECTED]'KFÝì
88E([EMAIL PROTECTED] S«½ºÔrûëÁdPÝWŽ8j¼óP
-Žu'KFJð
88E([EMAIL PROTECTED]'KF“ñ
88E([EMAIL PROTECTED]'Ñu'[EMAIL PROTECTED]'HTTP/1.0 304 Not Modified Date: Wed, 16 May 2007 15:47:01 GMT Server: Apache/2.0.55 (Ubuntu) mod_ssl/2.0.55 OpenSSL/0.9.8a Connection: close ETag: "4a9b7-43-9e3e1480" u'KF×ö
88E([EMAIL PROTECTED]'KFÀ÷
88E([EMAIL PROTECTED]'[EMAIL PROTECTED] M¬


u'KFX88E([EMAIL PROTECTED]'KFñ88E([EMAIL PROTECTED])FÔrûëS«½ºPÁf7ä9äà=·PÀåu'KFH288E([EMAIL PROTECTED]'KFËE88E([EMAIL PROTECTED]'KF*G88E([EMAIL PROTECTED]|u'KFðI88E([EMAIL PROTECTED] u'KF;]88E([EMAIL PROTECTED]'KF—^88E([EMAIL PROTECTED]'[EMAIL PROTECTED] M¬


x'[EMAIL PROTECTED]'KFµ/88 E([EMAIL PROTECTED]'[EMAIL PROTECTED] JS«½ºÔrûëÁlPüu¥Õ8™½õP
ÎGET /mod/forum/images/folder.png HTTP/1.1 Accept: */* Referer: http://www.solsys.org/ Accept-Language: de UA-CPU: x86 Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 05 Jun 2001 12:52:58 GMT; length=395 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0) Host: www.solsys.org Connection: Keep-Alive Cookie: PHPSESSID=6d87e4b75e522f77da4dafd7964365cb x'KF»w88E([EMAIL PROTECTED]'KFW|[EMAIL PROTECTED]/1.1 304 Not Modified Date: Wed, 16 May 2007 15:47:04 GMT Server: Apache/2.0.55 (Ubuntu) mod_ssl/2.0.55 OpenSSL/0.9.8a Connection: close ETag: "4a908-18b-c2e25e80" x'KF}88E(± @?©ÔrûëS«½ºPÁl8™¾¤üu§PÀjAx'KFÂÏ88E([EMAIL PROTECTED]'KFZß88E([EMAIL PROTECTED]'KFŸà88E(± @[EMAIL PROTECTED]

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users