On Mon, Sep 22, 2008 at 11:16:53AM -0700, Parvinder Bhasin wrote: > On Sep 22, 2008, at 7:30 AM, Jason Dixon wrote: > >> On Mon, Sep 22, 2008 at 07:20:50AM -0700, Parvinder Bhasin wrote: >>> On Sep 22, 2008, at 6:10 AM, Jason Dixon wrote: >>> >>>> On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote: >>>>> >>>>> On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote: >>>>> >>>>>> On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote: >>>>>>> On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote: >>>>>>> >>>>>>>> On 2008-09-22, Parvinder Bhasin <[EMAIL PROTECTED]> >>>>>>>> wrote: >>>>>>>>> I have users that can access the website fine >>>>>>>>> (75.44.229.18) and >>>>>>>>> some >>>>>>>>> user that complain they can't access it. >>>>>>>> >>>>>>>> Include the dmesg so we can see what OS version you're running. >>>>>>>> Set pfctl -x misc and watch /var/log/messages, include any >>>>>>>> output >>>>>>>> from around the time of a failed connection. Include the >>>>>>>> relevant >>>>>>>> state table entries from pfctl -vss. >>>>>>> >>>>>>> Here is the output from pfctl -vss - with the host(75.18.177.36) >>>>>>> trying >>>>>>> to access the website: >>>>>> >>>>>> Please do that again, but grep only the relevant bits. I'm not >>>>>> going >>>>>> to >>>>>> sift through all the noise. >>>>>> >>>>>> $ sudo pfctl -ss | grep 75.18.177.36 >>>>>> >>>>>> I'm pretty sure your outbound nat needs to be moved *after* your >>>>>> rdr's. >>>>>> I think the inbound traffic is having the src_addr translated to >>>>>> your >>>>>> firewall's ($ext_if) >>>>> >>>>> Jason, >>>>> >>>>> Here it is without the noise. >>>>> >>>>> # pfctl -ss | grep 75.18.177.36 >>>>> all tcp 172.16.10.11:80 <- 75.44.229.18:80 <- 75.18.177.36:1056 >>>>> SYN_SENT:ESTABLISHED >>>>> all tcp 75.18.177.36:1056 -> 172.16.10.11:80 >>>>> ESTABLISHED:SYN_SENT >>>>> # pfctl -ss | grep 75.18.177.36 >>>>> all tcp 172.16.10.11:80 <- 75.44.229.18:80 <- 75.18.177.36:1056 >>>>> SYN_SENT:ESTABLISHED >>>>> all tcp 75.18.177.36:1056 -> 172.16.10.11:80 >>>>> ESTABLISHED:SYN_SENT >>>> >>>> Looks ok. Let's see the output of `pfctl -sr` and `pfctl -sn`. >>>> Also, >>>> let's correlate your states to the logged blocks. In separate >>>> terminals, do the `pfctl -ss | grep <foo>` and then find the >>>> corresponding traffic in pflog0 that's being blocked. Let's see >>>> them >>>> both. >>> >>> >>> # pfctl -sr >>> scrub in all fragment reassemble >>> block return in log (all) all >>> pass out all flags S/SA keep state >>> block drop in quick on ! lo inet from 127.0.0.0/8 to any >>> block drop in quick on ! lo inet6 from ::1 to any >>> block drop in quick inet from 127.0.0.1 to any >>> block drop in quick on ! fxp0 inet from 172.16.10.0/24 to any >>> block drop in quick inet from 172.16.10.10 to any >>> block drop in quick inet6 from ::1 to any >>> block drop in quick on lo0 inet6 from fe80::1 to any >>> block drop in quick on fxp0 inet6 from fe80::206:29ff:fecf:7d5f to >>> any >>> pass in on fxp1 inet proto tcp from any to 172.16.10.11 port = www >>> flags >>> S/SA keep state >>> pass in on fxp1 inet proto tcp from any to 75.44.229.17 port = ssh >>> flags >>> S/SA keep state >>> pass in on fxp1 inet proto tcp from any to 172.16.10.12 port = 3128 >>> flags S/SA synproxy state >>> pass in inet proto icmp all icmp-type echoreq keep state >>> pass in quick on fxp0 all flags S/SA keep state >>> # pfctl -sn >>> nat on fxp1 from ! (fxp1) to any -> (fxp1:0) >>> nat-anchor "ftp-proxy/*" all >>> rdr-anchor "ftp-proxy/*" all >>> rdr on fxp1 inet proto tcp from any to 75.44.229.18 port = www -> >>> 172.16.10.11 port 80 >>> rdr on fxp1 inet proto tcp from any to 75.44.229.19 port = 3128 -> >>> 172.16.10.12 port 3128 >>> >>> >>> # pfctl -ss | grep 75.18.177.36 >>> all tcp 172.16.10.11:80 <- 75.44.229.18:80 <- 75.18.177.36:1057 >>> SYN_SENT:ESTABLISHED >>> all tcp 75.18.177.36:1057 -> 172.16.10.11:80 >>> ESTABLISHED:SYN_SENT >> >> And the blocked packets? >> > > How should I capture them? did you mean via pflog?
Yes, just like you did before. I'd like to see where they're being passed (pfctl -ss) *and* blocked (pflog) at the same time. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
