ipfilter 4.13 - http traffic going thru ftp proxy

viper viper at perm.raid.ru
Thu Jul 12 07:19:40 UTC 2007 

On Wed, 11 Jul 2007 09:42:22 -0400, Stephen Clark wrote
> viper wrote:
> 
> >On Tue, 10 Jul 2007 15:59:46 -0400, Stephen Clark wrote
> >  
> >
> >>Hello List,
> >>
> >>I posted a while ago that our testers of our network appliance were 
> >>complaining
> >>that browsing was slower when using our appliance based on 6.x as 
> >>compared to
> >>our appliance using 4.9 FreeBSD.
> >>
> >>Well it turns out they were right! After spending much time trying 
> >>to figure out what was going on we discovered that all http traffic 
> >>was being routed thru the ipf ftp proxy module.
> >>
> >>Does anyone know why this is happening?
>
>>********************************************************************************
> >>Here is 4.9
>
>>********************************************************************************
> >>H101491# ipnat -l
> >>List of active MAP/Redirect filters:
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 proxy port ftp ftp/tcp
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 portmap tcp/udp 
> >>40000:60000
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32
> >>
> >>List of active sessions:
> >>MAP 192.168.1.9     2949  <- -> 10.0.133.44     40075 [64.154.83.47 80]
> >>MAP 192.168.1.9     2948  <- -> 10.0.133.44     40074 [209.67.78.5 
> >>80] MAP 192.168.1.9     2947  <- -> 10.0.133.44     40073 
> >>[216.168.252.103 443] MAP 192.168.1.9     2946  <- -> 10.0.133.44    
> >> 40072 [65.243.74.133 80] MAP 192.168.1.9     2945  <- -> 
> >>10.0.133.44     40071 [216.168.252.103 443] MAP 192.168.1.9     2944 
> >> <- -> 10.0.133.44     40070 [66.155.171.116 80] MAP 192.168.1.9     
> >>2943  <- -> 10.0.133.44     40069 [64.9.212.6 80] MAP 192.168.1.9    
> >> 2942  <- -> 10.0.133.44     40068 [209.104.135.123 80] MAP 
> >>192.168.1.9     2941  <- -> 10.0.133.44     40067 [65.243.74.133 80] 
> >>MAP 192.168.1.9     2940  <- -> 10.0.133.44     40066 [65.243.74.133 
> >>80] MAP 192.168.1.9     2939  <- -> 10.0.133.44     40065 
> >>[65.243.74.133 80] MAP 192.168.1.9     2938  <- -> 10.0.133.44     
> >>40064 [216.239.51.95 80] MAP 192.168.1.9     2924  <- -> 10.0.133.44 
> >>    40050 [64.233.169.99 80] MAP 192.168.1.9     2922  <- -> 
> >>10.0.133.44     40048 [64.233.169.99 80] MAP 192.168.1.9     2920  <-
> >> -> 10.0.133.44     40046 [64.233.169.147 80] MAP 192.168.1.9    
> >> 1031  <- -> 10.0.133.44     40045 [198.6.1.2 53] MAP 192.168.1.9    
> >> 2884  <- -> 10.0.133.44     40012 [207.159.120.157 80]
> >>
> >>
> >>    
> >>
>
>************************************************************************************
> >  
> >
> >>Here is 6.2
> >>Notice in the mappings for port 80 the source port is not being 
> >>mapped into the 40000:60000 range. Also notice that the ftp proxy 
> >>thought it found something and dumps out some diags.
> >>    
> >>
>
>************************************************************************************
> >  
> >
> >>H101490# ipnat -l
> >>List of active MAP/Redirect filters:
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 proxy port ftp ftp/tcp
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 portmap tcp/udp 
> >>40000:60000
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32
> >>
> >>List of active sessions:
> >>MAP 192.168.1.88    1397  <- -> 10.0.133.77     1397  [64.154.83.47 80]
> >>MAP 192.168.1.88    1396  <- -> 10.0.133.77     1396  [209.67.78.5 
> >>80] MAP 192.168.1.88    1395  <- -> 10.0.133.77     1395 
> >> [216.168.252.103 443] MAP 192.168.1.88    1394  <- -> 10.0.133.77   
> >>  1394  [216.168.252.103 443] MAP 192.168.1.88    1393  <- -> 
> >>10.0.133.77     1393  [65.243.74.144 80] MAP 192.168.1.88    1392  <-
> >> -> 10.0.133.77     1392  [65.243.74.144 80] MAP 192.168.1.88    
> >>1378  <- -> 10.0.133.77     1378  [64.233.169.103 80]        proxy 
> >>ftp/6 use -54 flags 0                proto 6 flags 0 bytes 0 pkts 0 
> >>data YES size 312        FTP Proxy:                passok: 1        Client:
> >>                seq 0 (ack 0) len 0 junk 0 cmds 0
> >>                buf [\000]
> >>        Server:
> >>                seq 2b451493 (ack 0) len 0 junk 0 cmds 0
> >>                buf [\000]
> >>MAP 192.168.1.88    1391  <- -> 10.0.133.77     1391  [65.205.8.52 
> >>80] MAP 192.168.1.88    1390  <- -> 10.0.133.77     1390 
> >> [65.203.229.71 80] MAP 192.168.1.88    1389  <- -> 10.0.133.77    
> >> 1389  [72.247.8.26 80] MAP 192.168.1.88    1388  <- -> 10.0.133.77  
> >>   1388  [216.239.51.93 80] MAP 192.168.1.88    1033  <- -> 
> >>10.0.133.77     40000 [198.6.1.2 53]
> >>
> >>--
> >>
> >>"They that give up essential liberty to obtain temporary safety, 
> >>deserve neither liberty nor safety."  (Ben Franklin)
> >>
> >>"The course of history shows that as a government grows, liberty 
> >>decreases."  (Thomas Jefferson)
> >>
> >>    
> >>
> >Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32 proxy port
> >21 ftp/tcp"
> >It`s feature.
> >_______________________
> >Best regards, 
> >VipeR
> >
> >
> >  
> >
> 
> Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32 
> proxy port 21 ftp/tcp"
> 
> you know this works but if I use the same line but use "proxy port ftp"
> instead of "proxy port 21" I get:
> map rl1 from 192.168.1.0/24 to any port = 5376 -> 10.0.133.77/32 
> proxy port 5376 ftp/tcp
> 
> Go figure.
Again, this is known feature.
The truth is similar to the bug.

_______________________
Best regards, 
VipeR

More information about the freebsd-stable mailing list