login
Login / Register
Header Space

 
 

Home » Mailing list archives » openbsd-misc » 2008 » May » 20

Can't browse to Microsoft web sites...

Score:
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Jeff Ross <jross@...>
To: <misc@...>
Subject: Can't browse to Microsoft web sites...
Date: Tuesday, May 20, 2008 - 12:15 pm

I know, "Who cares?" or  "Great!" is my own response but my users have 
other wishes that include msn.com and this one has me stumped.

I had a more complex pf rule set but now I'm using a simple rule set 
based almost entirely on the one from the PF FAQ:

ext_if="em0"  # External Public Interface
int_if="bge0" # Internal LAN Interface
tcp_services = "{ 22, 113 }"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
table <zombies> persist
set block-policy return
set loginterface $ext_if
set skip on { lo, tun }
scrub in no-df fragment reassemble
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
block in log
pass out log keep state
anchor "ftp-proxy/*"
antispoof log quick for { lo $int_if }
block in log quick on $ext_if from <zombies> to any
pass in log quick on $ext_if proto tcp from any to ($ext_if) port ssh \ 

   keep state (max-src-conn-rate 3/30, overload <zombies> flush global) 

pass in log on $ext_if inet proto tcp from any to ($ext_if) port \
   $tcp_services keep state
pass in log on $ext_if inet proto udp from any to ($ext_if) port \
   $udp_services keep state
pass in log inet proto icmp all icmp-type $icmp_types keep state
pass in log quick on $int_if


I added all of the log lines so I could hopefully see what's going awry.

 From the firewall itself, when I use lynx to try

	http://www.msn.com

I get asked to accept about 5 cookies, which I accept and then a "HTTP 
request sent; waiting for response." and that's it.

Watching pflog0 I see this:

May 20 09:59:58.339833 rule 1/(match) pass out on em0: 192.168.0.2.23294 
 > 205.128.93.51.53:[|domain]
May 20 09:59:58.548598 rule 1/(match) pass out on em0: 192.168.0.2.4281 
 > 207.68.173.76.80: [|tcp] (DF)

I don't ever see a return packet, and nothing is ever blocked as seen 
from pflog0.

Thinking it is a scrub issue, I've tried scrub in, scrub in no-df, and 
the combination listed above, with no difference.

Hopefully someone can provide me a cluestick before my msn deprived 
users do something ugly--to me!


Thanks,

Jeff
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
Can't browse to Microsoft web sites..., Jeff Ross, (Tue May 20, 12:15 pm)
Re: Can't browse to Microsoft web sites..., Jeff Ross, (Tue May 20, 2:56 pm)
Re: Can't browse to Microsoft web sites..., Daniel Melameth, (Tue May 20, 2:25 pm)
Re: Can't browse to Microsoft web sites..., Jay Hart, (Tue May 20, 12:44 pm)
Re: Can't browse to Microsoft web sites..., Jeff Ross, (Tue May 20, 1:31 pm)
Re: Can't browse to Microsoft web sites..., Marti Martinez, (Tue May 20, 2:29 pm)

Mail archive search
Enter your search terms.
Optionally limit your search to a specific mailing list.
advanced
Colocation donated by:
Who's online
There are currently 3 users and 949 guests online.

Online users

Syndicate
Syndicate content
© 2007 KernelTrap.  |  Powered by Drupal.  |  Legal statement.
speck-geostationary