I'm sure> At a quick guess, > it's prolly something along the lines of FTP... which means you either need > some fairly large holes, you'll need to write a proxy module for IPF to > support it (like the FTP and VPN proxies).
> Perhaps if you provide some traffic dumps (not content, just flows) someone > might be able to help you. I doubt it's worth the trouble. There is TCP traffic on 80, 443, and 29900 (?) which starts out looking like regular web connections, then I start getting packets back from the web site with flag AS, and if I make a case for those then I get flags like AP, and after I finally let in anything to or from any of those ports, some udp traffic gets into the act... Windows PC's and Solaris workstations and servers do all the normal IP things through my ipfilter setup without those kinds of rules, so there is something different going on. I can see why the colleges gave up. stateful inspection doesn't look likely to encompass all these goings on. Better to set up an insecure wireless router outside my firewall than compromise the firewall. Perhaps somebody more motivated than I will figure out a proxy. Here are some examples of rules that seem to suffice as additions to the normal keep-state rules for ports 80 and 443; 10.0.2.0 is the internal network. pass in log quick proto tcp from any port = 80 to 10.0.2.0/24 port > 1023 group 100 pass out log quick proto tcp from any port = 80 to 10.0.2.0/24 port > 1023 group 151 pass in log quick proto tcp from 10.0.2.0/24 port > 1023 to any port = 80 group 101 pass out log quick proto tcp from 10.0.2.0/24 port > 1023 to any port = 80 group 150 pass in log quick proto tcp from any port = 443 to 10.0.2.0/24 port > 1023 group 100 pass out log quick proto tcp from any port = 443 to 10.0.2.0/24 port > 1023 group 151 pass in log quick proto tcp from 10.0.2.0/24 port > 1023 to any port = 443 group 101 pass out log quick proto tcp from 10.0.2.0/24 port > 1023 to any port = 443 group 150 pass in log quick proto tcp from any port = 29900 to 10.0.2.0/24 port > 1023 group 100 pass out log quick proto tcp from any port = 29900 to 10.0.2.0/24 port > 1023 group 151 pass in log quick proto tcp from 10.0.2.0/24 port > 1023 to any port = 29900 group 101 pass out log quick proto tcp from 10.0.2.0/24 port > 1023 to any port = 29900 group 150 The udp transactions seem to have gone away for the time being.
