Website(s) being blocked by CARP/PF firewall

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Website(s) being blocked by CARP/PF firewall

Chris Cameron-2
Have two 3.8 firewalls in a CARP setup, and through this firewall I'm
unable to get to ticketmaster.ca or .com. They both have different IPs.


On the master CARP firewall, with tcpdump on the external interface:

Reply | Threaded
Open this post in threaded view
|

Re: Website(s) being blocked by CARP/PF firewall

Curt Micol
On 9/7/06, Chris Cameron <[hidden email]> wrote:
> Have two 3.8 firewalls in a CARP setup, and through this firewall I'm
> unable to get to ticketmaster.ca or .com. They both have different IPs.
>
>
> On the master CARP firewall, with tcpdump on the external interface:

If you want help you are going to have to supply a lot more
information than what you've supplied here.

But make sure you have read and understand the FAQ [1] and the man
pages for pf.conf [2], carp [3], pfsync [4] before responding.

hth,
Asenchi.

[1] http://www.openbsd.org/faq/pf/index.html
[2] http://urlx.org/openbsd.org/4a4bc
[3] http://urlx.org/openbsd.org/5ca9f
[4] http://urlx.org/openbsd.org/558dd
--
The risk of insult is the price of clarity.

Reply | Threaded
Open this post in threaded view
|

Re: Website(s) being blocked by CARP/PF firewall

Chris Cameron-2
On Thu, 2006-09-07 at 10:46 -0400, Asenchi wrote:
> On 9/7/06, Chris Cameron <[hidden email]> wrote:
> > Have two 3.8 firewalls in a CARP setup, and through this firewall I'm
> > unable to get to ticketmaster.ca or .com. They both have different IPs.

> But make sure you have read and understand the FAQ [1] and the man
> pages for pf.conf [2], carp [3], pfsync [4] before responding.
>
> hth,
> Asenchi.
>
> [1] http://www.openbsd.org/faq/pf/index.html
> [2] http://urlx.org/openbsd.org/4a4bc
> [3] http://urlx.org/openbsd.org/5ca9f
> [4] http://urlx.org/openbsd.org/558dd


I didn't see any "Can't access Tickmaster.ca" entries; but I think I
have the rest covered.

No other sites have this problem. The firewall sits in front of an
office of 15 or so, so I believe I would have heard something. Logging
is turned on for my default block rule, which isn't returning anything
for the ticketmaster IPs.

The connection is just refused though. Nothing gets "lost", or dropped.
The server gets the request, replies, and the client sees it.


I don't see how this could be a problem of my ruleset; if something was
being blocked, no packets would have been received by the client.



Again, does anyone have any ideas? Can other people access ticketmaster
through their CARP'd NAT firewall?


Chris

Reply | Threaded
Open this post in threaded view
|

Re: Website(s) being blocked by CARP/PF firewall

Tim Pushor
> Again, does anyone have any ideas? Can other people access ticketmaster
> through their CARP'd NAT firewall?
>  
Yeah it works fine over here. How about cranking PF's debugging and
watching syslog? pfctl -x loud

Tim

Reply | Threaded
Open this post in threaded view
|

Re: Website(s) being blocked by CARP/PF firewall

Nick Shank
In reply to this post by Chris Cameron-2
Chris Cameron wrote:

> On Thu, 2006-09-07 at 10:46 -0400, Asenchi wrote:
>  
>> On 9/7/06, Chris Cameron <[hidden email]> wrote:
>>    
>>> Have two 3.8 firewalls in a CARP setup, and through this firewall I'm
>>> unable to get to ticketmaster.ca or .com. They both have different IPs.
>>>      
>
>  
>> But make sure you have read and understand the FAQ [1] and the man
>> pages for pf.conf [2], carp [3], pfsync [4] before responding.
>>
>> hth,
>> Asenchi.
>>
>> [1] http://www.openbsd.org/faq/pf/index.html
>> [2] http://urlx.org/openbsd.org/4a4bc
>> [3] http://urlx.org/openbsd.org/5ca9f
>> [4] http://urlx.org/openbsd.org/558dd
>>    
>
>
> I didn't see any "Can't access Tickmaster.ca" entries; but I think I
> have the rest covered.
>
> No other sites have this problem. The firewall sits in front of an
> office of 15 or so, so I believe I would have heard something. Logging
> is turned on for my default block rule, which isn't returning anything
> for the ticketmaster IPs.
>
> The connection is just refused though. Nothing gets "lost", or dropped.
> The server gets the request, replies, and the client sees it.
>
>
> I don't see how this could be a problem of my ruleset; if something was
> being blocked, no packets would have been received by the client.
>
>
>
> Again, does anyone have any ideas? Can other people access ticketmaster
> through their CARP'd NAT firewall?
>
>
> Chris
>
>  
Having just tried to hit ticketmaster.ca and ticketmaster.com, I get an
error I've never seen before. Constant redirects. Like the page is
starting to load, then redirecting to itself. Maybe it's a problem w/
the site?

"Config":
XP-64 using Firefox 1.5.0.6.
Windows firewall: off
Network firewall: Sonicwall

Please keep in mind, this is just my initial observation, and I will
re-test when I get home and have the "proper" equipment.
 Nick

Reply | Threaded
Open this post in threaded view
|

Re: Website(s) being blocked by CARP/PF firewall

Spruell, Darren-Perot
In reply to this post by Chris Cameron-2
From: [hidden email] [mailto:[hidden email]]

> I didn't see any "Can't access Tickmaster.ca" entries; but I
> think I have the rest covered.
>
> No other sites have this problem. The firewall sits in front
> of an office of 15 or so, so I believe I would have heard
> something. Logging is turned on for my default block rule,
> which isn't returning anything for the ticketmaster IPs.
>
> The connection is just refused though. Nothing gets "lost",
> or dropped.
> The server gets the request, replies, and the client sees it.

Then it sounds like there's no problem? You've got full bidirectional
client/server communication?

What does a packet dump on either (both) sides of the firewall reveal?

DS

Reply | Threaded
Open this post in threaded view
|

Re: Website(s) being blocked by CARP/PF firewall

Sam Chill
In reply to this post by Chris Cameron-2
On 9/7/06, Chris Cameron <[hidden email]> wrote:
> Have two 3.8 firewalls in a CARP setup, and through this firewall I'm
> unable to get to ticketmaster.ca or .com. They both have different IPs.
>
>
> On the master CARP firewall, with tcpdump on the external interface:

It might be useful if you post the relevent parts of your pf.conf. In
the past I have had strange issues when connecting to some websites
when using some of scrub's options.
Good luck,
Sam