Re: Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
- From: Matthew Seaman <m.seaman@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 05 Mar 2008 14:28:10 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Dennis Melentyev wrote:
Hi!
Well, I'm not a PF professional, and you have rather advanced setup.
So, someone with good PF experience is needed here.
2008/3/5, Владислав Недосекин <mr.vladis@xxxxxxxxx>:
Hi, i understand that there is too little facts to analyze, but maybe some...
one have the same problem and also i can provide you information.
TCP dump 192.168.200.11 - ip of PC with vista
# tcpdump | grep 192.168.200.11
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ste0, link-type EN10MB (Ethernet), capture size 96 bytes
^C^C^C^C3 packets captured
433 packets received by filter
0 packets dropped by kernel
# tcpdump | grep 192.168.200.111
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ste0, link-type EN10MB (Ethernet), capture size 96 bytes
13:51:47.676471 arp who-has 192.168.200.200 (00:1d:60:ce:74:e8 (oui
Unknown)) tell 192.168.200.111
What's that?
...
PF.CONF...
# Block Policy
block in log all
block in log quick from no-route to any
block in log quick on $ext_if from <rfc1918>
block return-icmp out log quick on $ext_if to <rfc1918>
antispoof quick for $int_if
antispoof quick for $ext_if
block out from 192.168.0.146 to any
Does log shows anything interesting? I mean dropped packets.
What about SQUID's log? Some special auth? Client's insisting on
HTTP/1.1? Some glitches with transparent proxying (if I get it right
from your PF config)?
i've tried
sysctl net.inet.tcp.rfc1323=0
but it does't help.
And about ip6 it is disabled, but in enabled state it does't help.
Dropped by PF?
A very good trick when debugging pf rulesets is to make sure that any
block rules also log the blocked packets -- in this case that should
include the antispoofing rules "antispoof log quick for { $int_if $extif }"
Then you can use tcpdump on the firewall against the pflog0 pseudo interface
to see what traffic is being blocked as it happens:
# tcpdump -vv -i pflog0
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. Flat 3
7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW, UK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHzq363jDkPpsZ+VYRAzBuAJ4/Cy9GA+m8iDv1jeYPeCM/xOFOvQCfc6XB
yOqR3qTYmijkFA9fVygqH80=
=apq8
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"
- References:
- Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
- From: Владислав Недосекин
- Re: Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
- From: Dennis Melentyev
- Re: Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
- From: Dennis Melentyev
- Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
- Prev by Date: Re: Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
- Next by Date: Re: INET6 required for SCTP in 7.0?
- Previous by thread: Re: Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
- Next by thread: Re: Could Not open some sites from Windows Vista and Server 2008 when using FreeBSD as gw
- Index(es):
Relevant Pages
|
|
