ipfilter 4.13 - http traffic going thru ftp proxy
viper
viper at perm.raid.ru
Thu Jul 12 07:19:40 UTC 2007
On Wed, 11 Jul 2007 09:42:22 -0400, Stephen Clark wrote
> viper wrote:
>
> >On Tue, 10 Jul 2007 15:59:46 -0400, Stephen Clark wrote
> >
> >
> >>Hello List,
> >>
> >>I posted a while ago that our testers of our network appliance were
> >>complaining
> >>that browsing was slower when using our appliance based on 6.x as
> >>compared to
> >>our appliance using 4.9 FreeBSD.
> >>
> >>Well it turns out they were right! After spending much time trying
> >>to figure out what was going on we discovered that all http traffic
> >>was being routed thru the ipf ftp proxy module.
> >>
> >>Does anyone know why this is happening?
>
>>********************************************************************************
> >>Here is 4.9
>
>>********************************************************************************
> >>H101491# ipnat -l
> >>List of active MAP/Redirect filters:
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 proxy port ftp ftp/tcp
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 portmap tcp/udp
> >>40000:60000
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32
> >>
> >>List of active sessions:
> >>MAP 192.168.1.9 2949 <- -> 10.0.133.44 40075 [64.154.83.47 80]
> >>MAP 192.168.1.9 2948 <- -> 10.0.133.44 40074 [209.67.78.5
> >>80] MAP 192.168.1.9 2947 <- -> 10.0.133.44 40073
> >>[216.168.252.103 443] MAP 192.168.1.9 2946 <- -> 10.0.133.44
> >> 40072 [65.243.74.133 80] MAP 192.168.1.9 2945 <- ->
> >>10.0.133.44 40071 [216.168.252.103 443] MAP 192.168.1.9 2944
> >> <- -> 10.0.133.44 40070 [66.155.171.116 80] MAP 192.168.1.9
> >>2943 <- -> 10.0.133.44 40069 [64.9.212.6 80] MAP 192.168.1.9
> >> 2942 <- -> 10.0.133.44 40068 [209.104.135.123 80] MAP
> >>192.168.1.9 2941 <- -> 10.0.133.44 40067 [65.243.74.133 80]
> >>MAP 192.168.1.9 2940 <- -> 10.0.133.44 40066 [65.243.74.133
> >>80] MAP 192.168.1.9 2939 <- -> 10.0.133.44 40065
> >>[65.243.74.133 80] MAP 192.168.1.9 2938 <- -> 10.0.133.44
> >>40064 [216.239.51.95 80] MAP 192.168.1.9 2924 <- -> 10.0.133.44
> >> 40050 [64.233.169.99 80] MAP 192.168.1.9 2922 <- ->
> >>10.0.133.44 40048 [64.233.169.99 80] MAP 192.168.1.9 2920 <-
> >> -> 10.0.133.44 40046 [64.233.169.147 80] MAP 192.168.1.9
> >> 1031 <- -> 10.0.133.44 40045 [198.6.1.2 53] MAP 192.168.1.9
> >> 2884 <- -> 10.0.133.44 40012 [207.159.120.157 80]
> >>
> >>
> >>
> >>
>
>************************************************************************************
> >
> >
> >>Here is 6.2
> >>Notice in the mappings for port 80 the source port is not being
> >>mapped into the 40000:60000 range. Also notice that the ftp proxy
> >>thought it found something and dumps out some diags.
> >>
> >>
>
>************************************************************************************
> >
> >
> >>H101490# ipnat -l
> >>List of active MAP/Redirect filters:
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 proxy port ftp ftp/tcp
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 portmap tcp/udp
> >>40000:60000
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32
> >>
> >>List of active sessions:
> >>MAP 192.168.1.88 1397 <- -> 10.0.133.77 1397 [64.154.83.47 80]
> >>MAP 192.168.1.88 1396 <- -> 10.0.133.77 1396 [209.67.78.5
> >>80] MAP 192.168.1.88 1395 <- -> 10.0.133.77 1395
> >> [216.168.252.103 443] MAP 192.168.1.88 1394 <- -> 10.0.133.77
> >> 1394 [216.168.252.103 443] MAP 192.168.1.88 1393 <- ->
> >>10.0.133.77 1393 [65.243.74.144 80] MAP 192.168.1.88 1392 <-
> >> -> 10.0.133.77 1392 [65.243.74.144 80] MAP 192.168.1.88
> >>1378 <- -> 10.0.133.77 1378 [64.233.169.103 80] proxy
> >>ftp/6 use -54 flags 0 proto 6 flags 0 bytes 0 pkts 0
> >>data YES size 312 FTP Proxy: passok: 1 Client:
> >> seq 0 (ack 0) len 0 junk 0 cmds 0
> >> buf [\000]
> >> Server:
> >> seq 2b451493 (ack 0) len 0 junk 0 cmds 0
> >> buf [\000]
> >>MAP 192.168.1.88 1391 <- -> 10.0.133.77 1391 [65.205.8.52
> >>80] MAP 192.168.1.88 1390 <- -> 10.0.133.77 1390
> >> [65.203.229.71 80] MAP 192.168.1.88 1389 <- -> 10.0.133.77
> >> 1389 [72.247.8.26 80] MAP 192.168.1.88 1388 <- -> 10.0.133.77
> >> 1388 [216.239.51.93 80] MAP 192.168.1.88 1033 <- ->
> >>10.0.133.77 40000 [198.6.1.2 53]
> >>
> >>--
> >>
> >>"They that give up essential liberty to obtain temporary safety,
> >>deserve neither liberty nor safety." (Ben Franklin)
> >>
> >>"The course of history shows that as a government grows, liberty
> >>decreases." (Thomas Jefferson)
> >>
> >>
> >>
> >Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32 proxy port
> >21 ftp/tcp"
> >It`s feature.
> >_______________________
> >Best regards,
> >VipeR
> >
> >
> >
> >
>
> Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32
> proxy port 21 ftp/tcp"
>
> you know this works but if I use the same line but use "proxy port ftp"
> instead of "proxy port 21" I get:
> map rl1 from 192.168.1.0/24 to any port = 5376 -> 10.0.133.77/32
> proxy port 5376 ftp/tcp
>
> Go figure.
Again, this is known feature.
The truth is similar to the bug.
_______________________
Best regards,
VipeR
More information about the freebsd-stable
mailing list