Can't browse to Microsoft web sites...
I know, Who cares? or Great! is my own response but my users have
other wishes that include msn.com and this one has me stumped.
I had a more complex pf rule set but now I'm using a simple rule set
based almost entirely on the one from the PF FAQ:
ext_if=em0 # External Public Interface
int_if=bge0 # Internal LAN Interface
tcp_services = { 22, 113 }
udp_services = { domain, ntp }
icmp_types = { echoreq, unreach }
table zombies persist
set block-policy return
set loginterface $ext_if
set skip on { lo, tun }
scrub in no-df fragment reassemble
nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $int_if proto tcp from any to any port ftp - 127.0.0.1 port 8021
block in log
pass out log keep state
anchor ftp-proxy/*
antispoof log quick for { lo $int_if }
block in log quick on $ext_if from zombies to any
pass in log quick on $ext_if proto tcp from any to ($ext_if) port ssh \
keep state (max-src-conn-rate 3/30, overload zombies flush global)
pass in log on $ext_if inet proto tcp from any to ($ext_if) port \
$tcp_services keep state
pass in log on $ext_if inet proto udp from any to ($ext_if) port \
$udp_services keep state
pass in log inet proto icmp all icmp-type $icmp_types keep state
pass in log quick on $int_if
I added all of the log lines so I could hopefully see what's going awry.
From the firewall itself, when I use lynx to try
http://www.msn.com
I get asked to accept about 5 cookies, which I accept and then a HTTP
request sent; waiting for response. and that's it.
Watching pflog0 I see this:
May 20 09:59:58.339833 rule 1/(match) pass out on em0: 192.168.0.2.23294
205.128.93.51.53:[|domain]
May 20 09:59:58.548598 rule 1/(match) pass out on em0: 192.168.0.2.4281
207.68.173.76.80: [|tcp] (DF)
I don't ever see a return packet, and nothing is ever blocked as seen
from pflog0.
Thinking it is a scrub issue, I've tried scrub in, scrub in no-df, and
the combination listed above, with no difference.
Hopefully someone can provide me a cluestick before my msn deprived
users do something ugly--to me!
Thanks,
Jeff
Re: Can't browse to Microsoft web sites...
Maybe we could create a fake blog site stating that MSN.COM is offline until
the M$Soft-Yahoo deal is completed.
Would that help you out.
Jay
I know, Who cares? or Great! is my own response but my users have
other wishes that include msn.com and this one has me stumped.
I had a more complex pf rule set but now I'm using a simple rule set
based almost entirely on the one from the PF FAQ:
ext_if=em0 # External Public Interface
int_if=bge0 # Internal LAN Interface
tcp_services = { 22, 113 }
udp_services = { domain, ntp }
icmp_types = { echoreq, unreach }
table zombies persist
set block-policy return
set loginterface $ext_if
set skip on { lo, tun }
scrub in no-df fragment reassemble
nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $int_if proto tcp from any to any port ftp - 127.0.0.1 port 8021
block in log
pass out log keep state
anchor ftp-proxy/*
antispoof log quick for { lo $int_if }
block in log quick on $ext_if from zombies to any
pass in log quick on $ext_if proto tcp from any to ($ext_if) port ssh \
keep state (max-src-conn-rate 3/30, overload zombies flush global)
pass in log on $ext_if inet proto tcp from any to ($ext_if) port \
$tcp_services keep state
pass in log on $ext_if inet proto udp from any to ($ext_if) port \
$udp_services keep state
pass in log inet proto icmp all icmp-type $icmp_types keep state
pass in log quick on $int_if
I added all of the log lines so I could hopefully see what's going awry.
From the firewall itself, when I use lynx to try
http://www.msn.com
I get asked to accept about 5 cookies, which I accept and then a HTTP
request sent; waiting for response. and that's it.
Watching pflog0 I see this:
May 20 09:59:58.339833 rule 1/(match) pass out on em0: 192.168.0.2.23294
205.128.93.51.53:[|domain]
May 20 09:59:58.548598 rule 1/(match) pass out on em0: 192.168.0.2.4281
207.68.173.76.80: [|tcp] (DF)
I don't ever see a return packet, and nothing is ever blocked as seen
from pflog0.
Thinking it is a scrub issue, I've tried scrub in, scrub in no-df, and
the combination listed above, with no difference.
Hopefully someone can provide me a cluestick before my msn deprived
users do something ugly--to me!
Thanks,
Jeff
Re: Can't browse to Microsoft web sites...
On Tue, 20 May 2008, Jay Hart wrote:
Maybe we could create a fake blog site stating that MSN.COM is offline until
the M$Soft-Yahoo deal is completed.
Would that help you out.
Jay
I think I smell hot tar, and I just saw a couple of naked chickens run
past the window...
Jeff
I know, Who cares? or Great! is my own response but my users have
other wishes that include msn.com and this one has me stumped.
I had a more complex pf rule set but now I'm using a simple rule set
based almost entirely on the one from the PF FAQ:
ext_if=em0 # External Public Interface
int_if=bge0 # Internal LAN Interface
tcp_services = { 22, 113 }
udp_services = { domain, ntp }
icmp_types = { echoreq, unreach }
table zombies persist
set block-policy return
set loginterface $ext_if
set skip on { lo, tun }
scrub in no-df fragment reassemble
nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $int_if proto tcp from any to any port ftp - 127.0.0.1 port 8021
block in log
pass out log keep state
anchor ftp-proxy/*
antispoof log quick for { lo $int_if }
block in log quick on $ext_if from zombies to any
pass in log quick on $ext_if proto tcp from any to ($ext_if) port ssh \
keep state (max-src-conn-rate 3/30, overload zombies flush global)
pass in log on $ext_if inet proto tcp from any to ($ext_if) port \
$tcp_services keep state
pass in log on $ext_if inet proto udp from any to ($ext_if) port \
$udp_services keep state
pass in log inet proto icmp all icmp-type $icmp_types keep state
pass in log quick on $int_if
I added all of the log lines so I could hopefully see what's going awry.
From the firewall itself, when I use lynx to try
http://www.msn.com
I get asked to accept about 5 cookies, which I accept and then a HTTP
request sent; waiting for response. and that's it.
Watching pflog0 I see this:
May 20 09:59:58.339833 rule 1/(match) pass out on em0: 192.168.0.2.23294
205.128.93.51.53:[|domain]
May 20 09:59:58.548598 rule 1/(match) pass out on em0: 192.168.0.2.4281
207.68.173.76.80: [|tcp] (DF)
I don't ever see a return packet, and nothing is ever blocked as seen
from pflog0.
Thinking it is a scrub issue, I've tried scrub in, scrub in no-df, and
the combination listed above, with no difference.
Hopefully someone can provide me a cluestick before my msn deprived
users do something ugly--to me!
Thanks,
Jeff
!DSPAM:483301aa183374414853670!
Re: Can't browse to Microsoft web sites...
Might be an MTU issue. Try tcpdumping an interface other than pflog0.
On Tue, May 20, 2008 at 10:15 AM, Jeff Ross [EMAIL PROTECTED] wrote:
I had a more complex pf rule set but now I'm using a simple rule set based
almost entirely on the one from the PF FAQ:
ext_if=em0 # External Public Interface
int_if=bge0 # Internal LAN Interface
tcp_services = { 22, 113 }
udp_services = { domain, ntp }
icmp_types = { echoreq, unreach }
table zombies persist
set block-policy return
set loginterface $ext_if
set skip on { lo, tun }
scrub in no-df fragment reassemble
nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $int_if proto tcp from any to any port ftp - 127.0.0.1 port 8021
block in log
pass out log keep state
anchor ftp-proxy/*
antispoof log quick for { lo $int_if }
block in log quick on $ext_if from zombies to any
pass in log quick on $ext_if proto tcp from any to ($ext_if) port ssh \
keep state (max-src-conn-rate 3/30, overload zombies flush global)
pass in log on $ext_if inet proto tcp from any to ($ext_if) port \
$tcp_services keep state
pass in log on $ext_if inet proto udp from any to ($ext_if) port \
$udp_services keep state
pass in log inet proto icmp all icmp-type $icmp_types keep state
pass in log quick on $int_if
I added all of the log lines so I could hopefully see what's going awry.
From the firewall itself, when I use lynx to try
http://www.msn.com
I get asked to accept about 5 cookies, which I accept and then a HTTP
request sent; waiting for response. and that's it.
Watching pflog0 I see this:
May 20 09:59:58.339833 rule 1/(match) pass out on em0: 192.168.0.2.23294
205.128.93.51.53:[|domain]
May 20 09:59:58.548598 rule 1/(match) pass out on em0: 192.168.0.2.4281
207.68.173.76.80: [|tcp] (DF)
I don't ever see a return packet, and nothing is ever blocked as seen from
pflog0.
Re: Can't browse to Microsoft web sites...
On Tue, May 20, 2008 at 10:31 AM, Jeff Ross [EMAIL PROTECTED] wrote: I think I smell hot tar, and I just saw a couple of naked chickens run past the window... For some reason I kept reading that as naked chicks...and while a nice metal image, it wasn't fitting in well with the rest of the sentence... Anyhow, back to work. -- Systems Programmer, Principal Electrical Computer Engineering The University of Arizona [EMAIL PROTECTED]
Re: Can't browse to Microsoft web sites...
Jeff Ross wrote:
I know, Who cares? or Great! is my own response but my users have
other wishes that include msn.com and this one has me stumped.
I had a more complex pf rule set but now I'm using a simple rule set
based almost entirely on the one from the PF FAQ:
ext_if=em0 # External Public Interface
int_if=bge0 # Internal LAN Interface
tcp_services = { 22, 113 }
udp_services = { domain, ntp }
icmp_types = { echoreq, unreach }
table zombies persist
set block-policy return
set loginterface $ext_if
set skip on { lo, tun }
scrub in no-df fragment reassemble
nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $int_if proto tcp from any to any port ftp - 127.0.0.1 port 8021
block in log
pass out log keep state
anchor ftp-proxy/*
antispoof log quick for { lo $int_if }
block in log quick on $ext_if from zombies to any
pass in log quick on $ext_if proto tcp from any to ($ext_if) port ssh \
keep state (max-src-conn-rate 3/30, overload zombies flush global)
pass in log on $ext_if inet proto tcp from any to ($ext_if) port \
$tcp_services keep state
pass in log on $ext_if inet proto udp from any to ($ext_if) port \
$udp_services keep state
pass in log inet proto icmp all icmp-type $icmp_types keep state
pass in log quick on $int_if
I added all of the log lines so I could hopefully see what's going awry.
From the firewall itself, when I use lynx to try
http://www.msn.com
I get asked to accept about 5 cookies, which I accept and then a HTTP
request sent; waiting for response. and that's it.
Watching pflog0 I see this:
May 20 09:59:58.339833 rule 1/(match) pass out on em0: 192.168.0.2.23294
205.128.93.51.53:[|domain]
May 20 09:59:58.548598 rule 1/(match) pass out on em0: 192.168.0.2.4281
207.68.173.76.80: [|tcp] (DF)
I don't ever see a return packet, and nothing is ever blocked as seen
from pflog0.
Thinking it is a scrub issue, I've tried scrub in, scrub in no-df, and
the combination listed above, with no difference.
Hopefully someone can provide me a cluestick before my msn deprived
users do something ugly--to me!
Thanks,
Jeff
I turned the debug level up to loud and found this in the log:
2008-05-20 12:24:38.202348500 pf_normalize_tcp_stateful: Broken RFC1323
stack did not timestamp data packet. Disabled PAWS security.
2008-05-20 12:24:38.202966500 TCP 192.168.0.2:32177 192.168.0.2:32177
207.46.19.254:80 [lo=2462224797 high=2462290110 win=32768 modulator=0
wscale=3] [lo=3824465452 high=3824727596 win=8192 modulator=0 wscale=3]
4:4 FA
Google found a thread from 2004 about Apple's software update site but,
(and this thread quickly got over my head so I might not be
understanding it correctly) there traffic was being passed back and
forth and I didn't think I was seeing that.
So I did a tcpdump on the external interface. The exchange between lynx
and msn is 33k long, so I put a file up on
http://www.openvistas.net/pf_log.txt
While I was writing this I see I got a response about checking the MTU.
Hopefully this did that.
Thanks,
Jeff
(barricaded myself in the server room, but I think they are getting out
the heavy tools to take out the door...)
Re: Can't browse to Microsoft web sites...
On 2008-05-20, Daniel Melameth [EMAIL PROTECTED] wrote: Might be an MTU issue. Probably. Microsoft block *all* ICMP at their border. (you at the back of the classroom, stop sniggering.. :-) scrub max-mss should work around it, or [EMAIL PROTECTED] may be able to get in touch with the admin of the server/s you're having problems with and ask them to enable PMTU blackhole detection. Here's a relevant NANOG thread to read if you need a fix of conspiracy theories, pointing and laughing, etc, that aren't really necessary here on [EMAIL PROTECTED] http://www.mail-archive.com/[EMAIL PROTECTED]/msg01711.html
Re: Can't browse to Microsoft web sites...
Stuart Henderson wrote: On 2008-05-20, Daniel Melameth [EMAIL PROTECTED] wrote: Might be an MTU issue. Probably. Microsoft block *all* ICMP at their border. (you at the back of the classroom, stop sniggering.. :-) scrub max-mss should work around it, or [EMAIL PROTECTED] may be able to get in touch with the admin of the server/s you're having problems with and ask them to enable PMTU blackhole detection. Here's a relevant NANOG thread to read if you need a fix of conspiracy theories, pointing and laughing, etc, that aren't really necessary here on [EMAIL PROTECTED] http://www.mail-archive.com/[EMAIL PROTECTED]/msg01711.html What an enjoyable read! I read the whole thread. In the end I added max-mss 1400 to my existing scrub rule and voila! msn loaded right up (after I had to accept about 15 cookies). Interestingly enough, the date of the nanog thread's beginning almost exactly coincides with when the problem was first reported to me. Yes, it admittedly wasn't high priority for me, until today at least. Many thanks, Stuart, from the bottom of my un-tarred and feathered heart! Too bad you can't ever really convince the users that it really is Microsoft's fault. Jeff
