netbsd-users: Problem with Window 2000->IE 5.5->ftp://ftp.netbsd.org and IPF

Subject: Problem with Window 2000->IE 5.5->ftp://ftp.netbsd.org and IPF
To: None <netbsd-users@netbsd.org>
From: Gerald C. Simmons <simmons@darykon.cet.com>
List: netbsd-users
Date: 11/27/2001 08:43:45
Has anyone run into this problem?

I have a DSL link with an assigned IP subnet block from my ISP. I'm using a
NetBSD machine as a router/firewall using IPF. I have the following machines
as clients, Windows 2000, Windows NT 4.0, Windows ME, and Linux.

I noticed recently, that when I use IE 5.5 on my Windows 2000 machine to go
into ftp.netbsd.org via www.netbsd.org, something happens and the ftp packets
back to my Windows 2000 machine get blocked.

Nov 27 08:37:13 dakkon ipmon[141]: 08:37:12.496046
  ep1 @0:2 b ftp.netbsd.org,59891 -> derenai.darykon.cet.com,1162 PR tcp len
  20 60 -S IN 

This actually hangs up IE 5.5 for about 3 minutes and it finally fails with a
timeout error.

This doesn't happen with my Windows NT 4.0 box, or any of the others.

Gerry Simmons
simmons@darykon.cet.com


Here's my IPF.conf file:

#	ipf.conf, v 0.1 2001/05/17  07:05:31  simmons Exp $
#
# IP filtering rules. See ipf(5) man page for more information
# on the format of this file.
#
#################################################################################

# Allow to and from localhost

pass in quick on lo0
pass out quick on lo0


#################################################################################

# Allow ping from the WAN, IFF source IP address is valid

block in log quick on ep1 all head 1
block in log quick on ep1 from 192.168.0.0/16 to any group 1
block in log quick on ep1 from 172.16.0.0/16 to any group 1
block in log quick on ep1 from 10.0.0.0/8 to any group 1
block in log quick on ep1 from 127.0.0.0/8 to any group 1
block in log quick on ep1 from 0.0.0.0/8 to any group 1
block in log quick on ep1 from 169.254.0.0/16 to any group 1
block in log quick on ep1 from 192.0.2.0/24 to any group 1
block in log quick on ep1 from 204.152.64.0/23 to any group 1
block in log quick on ep1 from 224.0.0.0/3 to any group 1
pass in quick on ep1 proto icmp from any to 198.202.24.77/32 icmp-type echo group 1
pass in quick on ep1 proto icmp from any to 198.202.29.144/29 icmp-type echo group 1

#################################################################################

# Allow outbound LAN traffic, IFF source and destination IP addresses are valid

block out log quick on ex0 all head 2
pass out quick on ex0 proto tcp from any to 198.202.29.144/29 keep state group 2
pass out quick on ex0 proto udp from any to 198.202.29.144/29 keep state group 2
pass out quick on ex0 proto icmp from any to 198.202.29.144/29 keep state group 2

#################################################################################

# Allow inbound traffic from LAN, all protocols

block in log quick on ex0 all head 3
pass in quick on ex0 proto tcp from 198.202.29.144/29 to any keep state group 3
pass in quick on ex0 proto udp from 198.202.29.144/29 to any keep state group 3
pass in quick on ex0 proto icmp from 198.202.29.144/29 to any keep state group 3
pass in quick on ex0 proto gre from 198.202.29.144/29 to any group 3

#################################################################################

# Allow outbound WAN traffic, all protocols IFF source IP address is valid

block out log quick on ep1 all head 4
pass out quick on ep1 proto tcp from 198.202.24.77/32 to any keep state group 4
pass out quick on ep1 proto udp from 198.202.24.77/32 to any keep state group 4
pass out quick on ep1 proto icmp from 198.202.24.77/32 to any keep state group 4
pass out quick on ep1 proto tcp from 198.202.29.144/29 to any keep state group 4
pass out quick on ep1 proto udp from 198.202.29.144/29 to any keep state group 4
pass out quick on ep1 proto icmp from 198.202.29.144/29 to any keep state group 4