Website(s) being blocked by CARP/PF firewall (2 of 2)
Sorry, hit Ctrl+Enter. 192.168.0.1 - CARP IP 192.168.0.2 - Master firewall IP On the master CARP firewall, with tcpdump on the external interface: Connecting behind firewall: 08:18:30.705631 192.168.0.1.53119 209.104.48.144.80: S 4111080674:4111080674(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1177467059 0 (DF) [tos 0x10] 08:18:30.785334 209.104.48.144.80 192.168.0.1.53119: R 0:0(0) ack 4111080675 win 0 (DF) Connecting on firewall: 08:18:48.623292 192.168.0.2.7390 209.104.48.144.80: S 4083495652:4083495652(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 404854925 0 (DF) [tos 0x10] 08:18:48.704195 209.104.48.144.80 192.168.0.2.7390: S 35837621:35837621(0) ack 4083495653 win 5792 mss 1460,sackOK,timestamp 125092407 404854925,nop,wscale 0 (DF) 08:18:48.704334 192.168.0.2.7390 209.104.48.144.80: . ack 1 win 16384 nop,nop,timestamp 404854926 125092407 (DF) [tos 0x10] 08:18:50.449324 192.168.0.2.7390 209.104.48.144.80: F 1:1(0) ack 1 win 16384 nop,nop,timestamp 404854929 125092407 (DF) [tos 0x10] 08:18:50.528828 209.104.48.144.80 192.168.0.2.7390: F 1:1(0) ack 2 win 5792 nop,nop,timestamp 125092590 404854929 (DF) 08:18:50.528933 192.168.0.2.7390 209.104.48.144.80: . ack 2 win 16383 nop,nop,timestamp 404854929 125092590 (DF) [tos 0x10] Anyone know why the ticketmaster server closes the connection (from what I can tell) when I connect with my CARP IP, and not when I just use the local IP? Thanks, Chris
Re: Website(s) being blocked by CARP/PF firewall
On 9/7/06, Chris Cameron [EMAIL PROTECTED] wrote: Have two 3.8 firewalls in a CARP setup, and through this firewall I'm unable to get to ticketmaster.ca or .com. They both have different IPs. On the master CARP firewall, with tcpdump on the external interface: If you want help you are going to have to supply a lot more information than what you've supplied here. But make sure you have read and understand the FAQ [1] and the man pages for pf.conf [2], carp [3], pfsync [4] before responding. hth, Asenchi. [1] http://www.openbsd.org/faq/pf/index.html [2] http://urlx.org/openbsd.org/4a4bc [3] http://urlx.org/openbsd.org/5ca9f [4] http://urlx.org/openbsd.org/558dd -- The risk of insult is the price of clarity.
Re: Website(s) being blocked by CARP/PF firewall
On Thu, 2006-09-07 at 10:46 -0400, Asenchi wrote: On 9/7/06, Chris Cameron [EMAIL PROTECTED] wrote: Have two 3.8 firewalls in a CARP setup, and through this firewall I'm unable to get to ticketmaster.ca or .com. They both have different IPs. But make sure you have read and understand the FAQ [1] and the man pages for pf.conf [2], carp [3], pfsync [4] before responding. hth, Asenchi. [1] http://www.openbsd.org/faq/pf/index.html [2] http://urlx.org/openbsd.org/4a4bc [3] http://urlx.org/openbsd.org/5ca9f [4] http://urlx.org/openbsd.org/558dd I didn't see any Can't access Tickmaster.ca entries; but I think I have the rest covered. No other sites have this problem. The firewall sits in front of an office of 15 or so, so I believe I would have heard something. Logging is turned on for my default block rule, which isn't returning anything for the ticketmaster IPs. The connection is just refused though. Nothing gets lost, or dropped. The server gets the request, replies, and the client sees it. I don't see how this could be a problem of my ruleset; if something was being blocked, no packets would have been received by the client. Again, does anyone have any ideas? Can other people access ticketmaster through their CARP'd NAT firewall? Chris
Re: Website(s) being blocked by CARP/PF firewall
Again, does anyone have any ideas? Can other people access ticketmaster through their CARP'd NAT firewall? Yeah it works fine over here. How about cranking PF's debugging and watching syslog? pfctl -x loud Tim
Re: Website(s) being blocked by CARP/PF firewall
Chris Cameron wrote: On Thu, 2006-09-07 at 10:46 -0400, Asenchi wrote: On 9/7/06, Chris Cameron [EMAIL PROTECTED] wrote: Have two 3.8 firewalls in a CARP setup, and through this firewall I'm unable to get to ticketmaster.ca or .com. They both have different IPs. But make sure you have read and understand the FAQ [1] and the man pages for pf.conf [2], carp [3], pfsync [4] before responding. hth, Asenchi. [1] http://www.openbsd.org/faq/pf/index.html [2] http://urlx.org/openbsd.org/4a4bc [3] http://urlx.org/openbsd.org/5ca9f [4] http://urlx.org/openbsd.org/558dd I didn't see any Can't access Tickmaster.ca entries; but I think I have the rest covered. No other sites have this problem. The firewall sits in front of an office of 15 or so, so I believe I would have heard something. Logging is turned on for my default block rule, which isn't returning anything for the ticketmaster IPs. The connection is just refused though. Nothing gets lost, or dropped. The server gets the request, replies, and the client sees it. I don't see how this could be a problem of my ruleset; if something was being blocked, no packets would have been received by the client. Again, does anyone have any ideas? Can other people access ticketmaster through their CARP'd NAT firewall? Chris Having just tried to hit ticketmaster.ca and ticketmaster.com, I get an error I've never seen before. Constant redirects. Like the page is starting to load, then redirecting to itself. Maybe it's a problem w/ the site? Config: XP-64 using Firefox 1.5.0.6. Windows firewall: off Network firewall: Sonicwall Please keep in mind, this is just my initial observation, and I will re-test when I get home and have the proper equipment. Nick
Re: Website(s) being blocked by CARP/PF firewall
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] I didn't see any Can't access Tickmaster.ca entries; but I think I have the rest covered. No other sites have this problem. The firewall sits in front of an office of 15 or so, so I believe I would have heard something. Logging is turned on for my default block rule, which isn't returning anything for the ticketmaster IPs. The connection is just refused though. Nothing gets lost, or dropped. The server gets the request, replies, and the client sees it. Then it sounds like there's no problem? You've got full bidirectional client/server communication? What does a packet dump on either (both) sides of the firewall reveal? DS
Re: Website(s) being blocked by CARP/PF firewall
On 9/7/06, Chris Cameron [EMAIL PROTECTED] wrote: Have two 3.8 firewalls in a CARP setup, and through this firewall I'm unable to get to ticketmaster.ca or .com. They both have different IPs. On the master CARP firewall, with tcpdump on the external interface: It might be useful if you post the relevent parts of your pf.conf. In the past I have had strange issues when connecting to some websites when using some of scrub's options. Good luck, Sam