ipfilter 4.13 - http traffic going thru ftp proxy

Stephen Clark Stephen.Clark at seclark.us
Wed Jul 11 13:42:25 UTC 2007 

viper wrote:

>On Tue, 10 Jul 2007 15:59:46 -0400, Stephen Clark wrote
>  
>
>>Hello List,
>>
>>I posted a while ago that our testers of our network appliance were 
>>complaining
>>that browsing was slower when using our appliance based on 6.x as 
>>compared to
>>our appliance using 4.9 FreeBSD.
>>
>>Well it turns out they were right! After spending much time trying 
>>to figure out what was going on we discovered that all http traffic 
>>was being routed thru the ipf ftp proxy module.
>>
>>Does anyone know why this is happening?
>>********************************************************************************
>>Here is 4.9
>>********************************************************************************
>>H101491# ipnat -l
>>List of active MAP/Redirect filters:
>>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 proxy port ftp ftp/tcp
>>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 portmap tcp/udp 
>>40000:60000
>>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32
>>
>>List of active sessions:
>>MAP 192.168.1.9     2949  <- -> 10.0.133.44     40075 [64.154.83.47 80]
>>MAP 192.168.1.9     2948  <- -> 10.0.133.44     40074 [209.67.78.5 
>>80] MAP 192.168.1.9     2947  <- -> 10.0.133.44     40073 
>>[216.168.252.103 443] MAP 192.168.1.9     2946  <- -> 10.0.133.44    
>> 40072 [65.243.74.133 80] MAP 192.168.1.9     2945  <- -> 
>>10.0.133.44     40071 [216.168.252.103 443] MAP 192.168.1.9     2944 
>> <- -> 10.0.133.44     40070 [66.155.171.116 80] MAP 192.168.1.9     
>>2943  <- -> 10.0.133.44     40069 [64.9.212.6 80] MAP 192.168.1.9    
>> 2942  <- -> 10.0.133.44     40068 [209.104.135.123 80] MAP 
>>192.168.1.9     2941  <- -> 10.0.133.44     40067 [65.243.74.133 80] 
>>MAP 192.168.1.9     2940  <- -> 10.0.133.44     40066 [65.243.74.133 
>>80] MAP 192.168.1.9     2939  <- -> 10.0.133.44     40065 
>>[65.243.74.133 80] MAP 192.168.1.9     2938  <- -> 10.0.133.44     
>>40064 [216.239.51.95 80] MAP 192.168.1.9     2924  <- -> 10.0.133.44 
>>    40050 [64.233.169.99 80] MAP 192.168.1.9     2922  <- -> 
>>10.0.133.44     40048 [64.233.169.99 80] MAP 192.168.1.9     2920  <-
>> -> 10.0.133.44     40046 [64.233.169.147 80] MAP 192.168.1.9    
>> 1031  <- -> 10.0.133.44     40045 [198.6.1.2 53] MAP 192.168.1.9    
>> 2884  <- -> 10.0.133.44     40012 [207.159.120.157 80]
>>
>>
>>    
>>
>************************************************************************************
>  
>
>>Here is 6.2
>>Notice in the mappings for port 80 the source port is not being 
>>mapped into the 40000:60000 range. Also notice that the ftp proxy 
>>thought it found something and dumps out some diags.
>>    
>>
>************************************************************************************
>  
>
>>H101490# ipnat -l
>>List of active MAP/Redirect filters:
>>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 proxy port ftp ftp/tcp
>>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 portmap tcp/udp 
>>40000:60000
>>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32
>>
>>List of active sessions:
>>MAP 192.168.1.88    1397  <- -> 10.0.133.77     1397  [64.154.83.47 80]
>>MAP 192.168.1.88    1396  <- -> 10.0.133.77     1396  [209.67.78.5 
>>80] MAP 192.168.1.88    1395  <- -> 10.0.133.77     1395 
>> [216.168.252.103 443] MAP 192.168.1.88    1394  <- -> 10.0.133.77   
>>  1394  [216.168.252.103 443] MAP 192.168.1.88    1393  <- -> 
>>10.0.133.77     1393  [65.243.74.144 80] MAP 192.168.1.88    1392  <-
>> -> 10.0.133.77     1392  [65.243.74.144 80] MAP 192.168.1.88    
>>1378  <- -> 10.0.133.77     1378  [64.233.169.103 80]        proxy 
>>ftp/6 use -54 flags 0                proto 6 flags 0 bytes 0 pkts 0 
>>data YES size 312        FTP Proxy:                passok: 1        Client:
>>                seq 0 (ack 0) len 0 junk 0 cmds 0
>>                buf [\000]
>>        Server:
>>                seq 2b451493 (ack 0) len 0 junk 0 cmds 0
>>                buf [\000]
>>MAP 192.168.1.88    1391  <- -> 10.0.133.77     1391  [65.205.8.52 
>>80] MAP 192.168.1.88    1390  <- -> 10.0.133.77     1390 
>> [65.203.229.71 80] MAP 192.168.1.88    1389  <- -> 10.0.133.77    
>> 1389  [72.247.8.26 80] MAP 192.168.1.88    1388  <- -> 10.0.133.77  
>>   1388  [216.239.51.93 80] MAP 192.168.1.88    1033  <- -> 
>>10.0.133.77     40000 [198.6.1.2 53]
>>
>>--
>>
>>"They that give up essential liberty to obtain temporary safety, 
>>deserve neither liberty nor safety."  (Ben Franklin)
>>
>>"The course of history shows that as a government grows, liberty 
>>decreases."  (Thomas Jefferson)
>>
>>    
>>
>Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32 proxy port
>21 ftp/tcp"
>It`s feature.
>_______________________
>Best regards, 
>VipeR
>
>
>  
>

Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32 proxy port
21 ftp/tcp"

you know this works but if I use the same line but use "proxy port ftp"
instead of "proxy port 21" I get:
map rl1 from 192.168.1.0/24 to any port = 5376 -> 10.0.133.77/32 proxy port 5376 ftp/tcp

Go figure.


-- 

"They that give up essential liberty to obtain temporary safety, 
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty 
decreases."  (Thomas Jefferson)

More information about the freebsd-stable mailing list