Re: IPFW and HTTPS problem

2007-08-25 Thread David Kelly 


On Aug 25, 2007, at 4:15 PM, Narek Gharibyan wrote:

I enabled https for my webmail. It works for LAN client but doesn't  
work for
Internet clients. I checked with tcpdump ipfw filters the incomping  
https

packets unless the rule


tcpdump is the hard way.

# ipfw zero

try the webmail.

# ipfw -a list

Examine the above list for rules have been hit since zero. Your  
answer lies among the rules which have been hit.


You might add "ipfw add 65000 deny log ip from any to any" and see  
what shows in /var/log/security for more details.


If you see hits on a rule but don't understand why, add "log" to it.  
Probably best to duplicate that rule with a lower number so the "log"  
version is used first. And easy to remove the logging version later  
without touching the original.


--
David Kelly N4HHE, [EMAIL PROTECTED]

Whom computers would destroy, they must first drive mad.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IPFW and HTTPS problem

2007-08-25 Thread Bill Moran 

[Any reason you posted to the same list twice?]

In response to "Narek Gharibyan" <[EMAIL PROTECTED]>:
>
> I enabled https for my webmail. It works for LAN client but doesn't work for
> Internet clients. I checked with tcpdump ipfw filters the incomping https
> packets unless the rule
> 
> Ipfw add allow tcp from any to ${webmail} 443
> 
> Ipfw add allow tcp from ${webmail} 443 to any
> 
>  
> 
> Even I tried 
> 
>  
> 
> Ipfw add allow all from any to ${webmail}  keep-state
> 
> Ipfw add allow all from ${webmail} to any keep-state
> 
>  
> 
> Nothing helps.
> 
>  
> 
> Any comments? 

Yes.  Please provide your entire ruleset.  It's impossible to assist in
debugging a ruleset with only a partial ruleset.  Do not trim or edit
the ruleset, as you may trim away the part that is causing the problem.

On your own, the output of 'ipfw show' can be useful for determining
which rules are blocking traffic, as it shows counters of how many
packets have matched each rule.

-- 
Bill Moran
http://www.potentialtech.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"