On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:
On 2008-09-22, Parvinder Bhasin <[EMAIL PROTECTED]> wrote:
I have users that can access the website fine (75.44.229.18) and some
user that complain they can't access it.
Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any output
from around the time of a failed connection. Include the relevant
state table entries from pfctl -vss.
Stuart/Jason:
The OS version is 4.3.
I did "pfctl -x misc" and I don't see any messages appearing related
to the bad connection from that IP. I logged on remotely on one of
the system and tried accessing the site but nothing showed up in /var/
log/messages. Here is the output :
# pfctl -x misc
debug level set to 'misc'
# tail -f /var/log/messages
Sep 19 07:02:34 firetalk ntpd[18456]: bad peer from pool pool.ntp.org
(209.132.176.4)
Sep 19 07:02:34 firetalk ntpd[18456]: bad peer from pool pool.ntp.org
(208.53.158.34)
Sep 20 02:00:01 firetalk syslogd: restart
Sep 20 04:00:02 firetalk syslogd: restart
Sep 20 14:00:02 firetalk syslogd: restart
Sep 21 02:00:01 firetalk syslogd: restart
Sep 21 20:43:56 firetalk ntpd[18456]: 3 out of 5 peers valid
Sep 21 20:43:56 firetalk ntpd[18456]: bad peer from pool pool.ntp.org
(209.132.176.4)
Sep 21 20:43:56 firetalk ntpd[18456]: bad peer from pool pool.ntp.org
(208.53.158.34)
Sep 22 02:00:01 firetalk syslogd: restart
Here is the output from pfctl -vss - with the host(75.18.177.36)
trying to access the website:
# pfctl -vss
all udp 204.152.186.173:123 <- 172.16.10.12:19727
MULTIPLE:MULTIPLE
age 12:04:07, expires in 00:00:31, 1364:1364 pkts, 103664:103664
bytes
all udp 172.16.10.12:19727 -> 75.44.229.17:60314 ->
204.152.186.173:123 MULTIPLE:MULTIPLE
age 12:04:07, expires in 00:00:31, 1364:1364 pkts, 103664:103664
bytes
all udp 82.165.177.157:123 <- 172.16.10.12:44282 MULTIPLE:MULTIPLE
age 10:04:30, expires in 00:00:57, 1138:1138 pkts, 86488:86488 bytes
all udp 172.16.10.12:44282 -> 75.44.229.17:56413 ->
82.165.177.157:123 MULTIPLE:MULTIPLE
age 10:04:30, expires in 00:00:57, 1138:1138 pkts, 86488:86488 bytes
all udp 207.192.69.197:123 <- 172.16.10.12:42096 MULTIPLE:MULTIPLE
age 03:06:08, expires in 00:00:47, 355:355 pkts, 26980:26980
bytes, rule 14
all udp 172.16.10.12:42096 -> 75.44.229.17:60864 ->
207.192.69.197:123 MULTIPLE:MULTIPLE
age 03:06:08, expires in 00:00:47, 355:355 pkts, 26980:26980
bytes, rule 1
all tcp 75.44.229.17:22 <- 76.202.196.187:59799
ESTABLISHED:ESTABLISHED
[654074524 + 524232] wscale 0 [3656802774 + 16952] wscale 3
age 00:07:21, expires in 24:00:00, 490:427 pkts, 35301:77260
bytes, rule 11
all tcp 216.39.62.89:25 <- 172.16.10.12:29315 CLOSED:SYN_SENT
[0 + 16384] [4185608820 + 1]
age 00:00:33, expires in 00:00:15, 3:0 pkts, 192:0 bytes, rule 14
all tcp 172.16.10.12:29315 -> 75.44.229.17:61775 ->
216.39.62.89:25 SYN_SENT:CLOSED
[4185608820 + 1] [0 + 16384]
age 00:00:33, expires in 00:00:15, 3:0 pkts, 192:0 bytes, rule 1
all udp 75.44.229.17:21902 -> 66.250.45.2:123 MULTIPLE:SINGLE
age 00:00:22, expires in 00:00:09, 1:1 pkts, 76:76 bytes, rule 1
# pfctl -vss | grep 75.18.177.36
# pfctl -vss
all udp 204.152.186.173:123 <- 172.16.10.12:19727
MULTIPLE:MULTIPLE
age 12:06:24, expires in 00:00:47, 1369:1369 pkts, 104044:104044
bytes
all udp 172.16.10.12:19727 -> 75.44.229.17:60314 ->
204.152.186.173:123 MULTIPLE:MULTIPLE
age 12:06:24, expires in 00:00:47, 1369:1369 pkts, 104044:104044
bytes
all udp 82.165.177.157:123 <- 172.16.10.12:44282 MULTIPLE:MULTIPLE
age 10:06:47, expires in 00:00:50, 1142:1142 pkts, 86792:86792 bytes
all udp 172.16.10.12:44282 -> 75.44.229.17:56413 ->
82.165.177.157:123 MULTIPLE:MULTIPLE
age 10:06:47, expires in 00:00:50, 1142:1142 pkts, 86792:86792 bytes
all udp 207.192.69.197:123 <- 172.16.10.12:42096 MULTIPLE:MULTIPLE
age 03:08:25, expires in 00:00:38, 359:359 pkts, 27284:27284
bytes, rule 14
all udp 172.16.10.12:42096 -> 75.44.229.17:60864 ->
207.192.69.197:123 MULTIPLE:MULTIPLE
age 03:08:25, expires in 00:00:38, 359:359 pkts, 27284:27284
bytes, rule 1
all tcp 75.44.229.17:22 <- 76.202.196.187:59799
ESTABLISHED:ESTABLISHED
[654079468 + 524232] wscale 0 [3656804886 + 16952] wscale 3
age 00:09:38, expires in 24:00:00, 603:497 pkts, 43349:85892
bytes, rule 11
all tcp 172.16.10.11:80 <- 75.44.229.18:80 <- 75.18.177.36:1125
SYN_SENT:ESTABLISHED
[2398465402 + 65535] [930424393 + 5840]
age 00:00:11, expires in 00:00:30, 3:5 pkts, 144:240 bytes, rule 10
all tcp 75.18.177.36:1125 -> 172.16.10.11:80 ESTABLISHED:SYN_SENT
[930424393 + 5840] [2398465402 + 65535]
age 00:00:11, expires in 00:00:30, 3:5 pkts, 144:240 bytes, rule 1
# pfctl -vss
all udp 204.152.186.173:123 <- 172.16.10.12:19727
MULTIPLE:MULTIPLE
age 12:06:31, expires in 00:00:40, 1369:1369 pkts, 104044:104044
bytes
all udp 172.16.10.12:19727 -> 75.44.229.17:60314 ->
204.152.186.173:123 MULTIPLE:MULTIPLE
age 12:06:31, expires in 00:00:40, 1369:1369 pkts, 104044:104044
bytes
all udp 82.165.177.157:123 <- 172.16.10.12:44282 MULTIPLE:MULTIPLE
age 10:06:54, expires in 00:00:43, 1142:1142 pkts, 86792:86792 bytes
all udp 172.16.10.12:44282 -> 75.44.229.17:56413 ->
82.165.177.157:123 MULTIPLE:MULTIPLE
age 10:06:54, expires in 00:00:43, 1142:1142 pkts, 86792:86792 bytes
all udp 207.192.69.197:123 <- 172.16.10.12:42096 MULTIPLE:MULTIPLE
age 03:08:32, expires in 00:00:31, 359:359 pkts, 27284:27284
bytes, rule 14
all udp 172.16.10.12:42096 -> 75.44.229.17:60864 ->
207.192.69.197:123 MULTIPLE:MULTIPLE
age 03:08:32, expires in 00:00:31, 359:359 pkts, 27284:27284
bytes, rule 1
all tcp 75.44.229.17:22 <- 76.202.196.187:59799
ESTABLISHED:ESTABLISHED
[654082092 + 524232] wscale 0 [3656804982 + 16952] wscale 3
age 00:09:45, expires in 24:00:00, 629:521 pkts, 44797:89764
bytes, rule 11
all tcp 172.16.10.11:80 <- 75.44.229.18:80 <- 75.18.177.36:1125
SYN_SENT:ESTABLISHED
[2398465402 + 65535] [930424393 + 5840]
age 00:00:18, expires in 00:00:23, 3:5 pkts, 144:240 bytes, rule 10
all tcp 75.18.177.36:1125 -> 172.16.10.11:80 ESTABLISHED:SYN_SENT
[930424393 + 5840] [2398465402 + 65535]
age 00:00:18, expires in 00:00:23, 3:5 pkts, 144:240 bytes, rule 1
# pfctl -vss | grep 75.18.177.36
all tcp 172.16.10.11:80 <- 75.44.229.18:80 <- 75.18.177.36:1125
SYN_SENT:ESTABLISHED
all tcp 75.18.177.36:1125 -> 172.16.10.11:80 ESTABLISHED:SYN_SENT
Why is the user in the below pflog
getting blocked. Where as most of the user can access the website
just fine.
tcpdump: listening on pflog0, link-type PFLOG
Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0:
172.16.10.11.80 > 75.18.177.36.1106: [|tcp] (DF)
Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1:
75.18.177.36.1105 > 172.16.10.11.80: [|tcp] (DF)
Here is my pf.conf file:
##### MACROS ####
ext_if="fxp1"
int_if="fxp0"
pf_log="pflog0"
icmp_types="echoreq"
#### OPTIONS #####
set loginterface $ext_if
set loginterface $int_if
set block-policy return
set skip on lo
# scrub
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 ->
172.16.10.11 port 80
rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 ->
172.16.10.12 port 3128
# filter
block in log (all, to pflog0)
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
If this is a newer OS version, flags S/SA and keep state are
redundant.
If it's an old one, your "pass in quick on $int_if" should also use
them.
Yes I don't need those flags. I was testing around something to get
these users going.
Will change it.
-Parvinder Bhasin
