ipf blocking packets from proxy servers

Nicholas von Waltsleben nicv at korbitec.com
Tue Jun 6 08:09:38 UTC 2006

Hi list,

I have been running FreeBSD servers as firewalls for several years now
and recently installed a new 6.1 server (6.1-RELEASE FreeBSD 6.1-RELEASE
#1) in the place of a 5.4 box that I had installed last year.  Since
replacing the box my users have had connection problems with their SOAP
applications hosted behind the firewall.  The symptoms were applications
hanging intermittently and massive delays in transactions (up to 2
minutes or more).  I eventually realised that this only happened when
the users were using our Squid proxy server so I had our Windows admin
bloke change the group policy to allow them to bypass the proxy when
connecting to the servers.  Problem solved I thought...

Wrong, now some of our clients are having the same problems and, guess
what, they too are using Squid proxies.  I have been doing some digging
this morning and noticed the following while running ipmon.

06/06/2006 09:19:41.056085 STATE:NEW,65431 ->,80 PR tcp
06/06/2006 09:19:41.557534 STATE:NEW,52159 ->,80 PR tcp
06/06/2006 09:19:42.010889 em0 @1:19 b,53088 ->,80 PR tcp len 20 48 -S IN OOW
06/06/2006 09:19:42.063731 STATE:NEW,63975 ->,80 PR tcp
06/06/2006 09:19:42.564807 STATE:NEW,54989 ->,80 PR tcp

The 165.x.x.x IP address is from an ADSL line I was using to see what
was happening to my packets (I was the only person using the line so it
made tcpdumps etc etc easier to interpret).

Now here is an extract from my ipfstat -ni

@2 block in quick on em0 all head 1
@10 pass in quick on em0 proto tcp from any to port =
http keep state keep frags group 1
@19 block in log quick on em0 all group 1

And finally my question:

If rule 10 specifically allows all traffic to on port 80
why are packets being blocked?  Sorry if this is an extremely noob
question and I have overlooked something obvious.  I will of course be
researching this in the meantime but if anyone could shed some light on
this matter I would greatly appreaciate it.

Nicholas von Waltsleben

More information about the freebsd-questions mailing list