freebsd stable - Jul 2007 - ipfilter 4.13 - http traffic going thru ftp proxy

Hello List,

I posted a while ago that our testers of our network appliance were 
complaining
that browsing was slower when using our appliance based on 6.x as 
compared to
our appliance using 4.9 FreeBSD.

Well it turns out they were right! After spending much time trying to 
figure out what
was going on we discovered that all http traffic was being routed thru 
the ipf ftp proxy module.

Does anyone know why this is happening?
********************************************************************************
Here is 4.9
********************************************************************************
H101491# ipnat -l
List of active MAP/Redirect filters:
map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 proxy port ftp ftp/tcp
map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 portmap tcp/udp 
40000:60000
map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32

List of active sessions:
MAP 192.168.1.9     2949  <- -> 10.0.133.44     40075 [64.154.83.47 80]
MAP 192.168.1.9     2948  <- -> 10.0.133.44     40074 [209.67.78.5 80]
MAP 192.168.1.9     2947  <- -> 10.0.133.44     40073 [216.168.252.103
443]
MAP 192.168.1.9     2946  <- -> 10.0.133.44     40072 [65.243.74.133 80]
MAP 192.168.1.9     2945  <- -> 10.0.133.44     40071 [216.168.252.103
443]
MAP 192.168.1.9     2944  <- -> 10.0.133.44     40070 [66.155.171.116 80]
MAP 192.168.1.9     2943  <- -> 10.0.133.44     40069 [64.9.212.6 80]
MAP 192.168.1.9     2942  <- -> 10.0.133.44     40068 [209.104.135.123 80]
MAP 192.168.1.9     2941  <- -> 10.0.133.44     40067 [65.243.74.133 80]
MAP 192.168.1.9     2940  <- -> 10.0.133.44     40066 [65.243.74.133 80]
MAP 192.168.1.9     2939  <- -> 10.0.133.44     40065 [65.243.74.133 80]
MAP 192.168.1.9     2938  <- -> 10.0.133.44     40064 [216.239.51.95 80]
MAP 192.168.1.9     2924  <- -> 10.0.133.44     40050 [64.233.169.99 80]
MAP 192.168.1.9     2922  <- -> 10.0.133.44     40048 [64.233.169.99 80]
MAP 192.168.1.9     2920  <- -> 10.0.133.44     40046 [64.233.169.147 80]
MAP 192.168.1.9     1031  <- -> 10.0.133.44     40045 [198.6.1.2 53]
MAP 192.168.1.9     2884  <- -> 10.0.133.44     40012 [207.159.120.157 80]

************************************************************************************
Here is 6.2
Notice in the mappings for port 80 the source port is not being mapped into
the 40000:60000 range.
Also notice that the ftp proxy thought it found something and dumps out
some diags.
************************************************************************************
H101490# ipnat -l
List of active MAP/Redirect filters:
map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 proxy port ftp ftp/tcp
map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 portmap tcp/udp 
40000:60000
map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32

List of active sessions:
MAP 192.168.1.88    1397  <- -> 10.0.133.77     1397  [64.154.83.47 80]
MAP 192.168.1.88    1396  <- -> 10.0.133.77     1396  [209.67.78.5 80]
MAP 192.168.1.88    1395  <- -> 10.0.133.77     1395  [216.168.252.103
443]
MAP 192.168.1.88    1394  <- -> 10.0.133.77     1394  [216.168.252.103
443]
MAP 192.168.1.88    1393  <- -> 10.0.133.77     1393  [65.243.74.144 80]
MAP 192.168.1.88    1392  <- -> 10.0.133.77     1392  [65.243.74.144 80]
MAP 192.168.1.88    1378  <- -> 10.0.133.77     1378  [64.233.169.103 80]
        proxy ftp/6 use -54 flags 0
                proto 6 flags 0 bytes 0 pkts 0 data YES size 312
        FTP Proxy:
                passok: 1
        Client:
                seq 0 (ack 0) len 0 junk 0 cmds 0
                buf [\000]
        Server:
                seq 2b451493 (ack 0) len 0 junk 0 cmds 0
                buf [\000]
MAP 192.168.1.88    1391  <- -> 10.0.133.77     1391  [65.205.8.52 80]
MAP 192.168.1.88    1390  <- -> 10.0.133.77     1390  [65.203.229.71 80]
MAP 192.168.1.88    1389  <- -> 10.0.133.77     1389  [72.247.8.26 80]
MAP 192.168.1.88    1388  <- -> 10.0.133.77     1388  [216.239.51.93 80]
MAP 192.168.1.88    1033  <- -> 10.0.133.77     40000 [198.6.1.2 53]

-- 

"They that give up essential liberty to obtain temporary safety, 
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty 
decreases."  (Thomas Jefferson)

viper wrote:
>On Tue, 10 Jul 2007 15:59:46 -0400, Stephen Clark wrote
>  
>
>>Hello List,
>>
>>I posted a while ago that our testers of our network appliance were 
>>complaining
>>that browsing was slower when using our appliance based on 6.x as 
>>compared to
>>our appliance using 4.9 FreeBSD.
>>
>>Well it turns out they were right! After spending much time trying 
>>to figure out what was going on we discovered that all http traffic 
>>was being routed thru the ipf ftp proxy module.
>>
>>Does anyone know why this is happening?
>>********************************************************************************
>>Here is 4.9
>>********************************************************************************
>>H101491# ipnat -l
>>List of active MAP/Redirect filters:
>>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 proxy port ftp
ftp/tcp
>>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 portmap tcp/udp 
>>40000:60000
>>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32
>>
>>List of active sessions:
>>MAP 192.168.1.9     2949  <- -> 10.0.133.44     40075
[64.154.83.47 80]
>>MAP 192.168.1.9     2948  <- -> 10.0.133.44     40074 [209.67.78.5
>>80] MAP 192.168.1.9     2947  <- -> 10.0.133.44     40073 
>>[216.168.252.103 443] MAP 192.168.1.9     2946  <- -> 10.0.133.44
>> 40072 [65.243.74.133 80] MAP 192.168.1.9     2945  <- -> 
>>10.0.133.44     40071 [216.168.252.103 443] MAP 192.168.1.9     2944 
>> <- -> 10.0.133.44     40070 [66.155.171.116 80] MAP 192.168.1.9
>>2943  <- -> 10.0.133.44     40069 [64.9.212.6 80] MAP 192.168.1.9
>> 2942  <- -> 10.0.133.44     40068 [209.104.135.123 80] MAP 
>>192.168.1.9     2941  <- -> 10.0.133.44     40067 [65.243.74.133
80]
>>MAP 192.168.1.9     2940  <- -> 10.0.133.44     40066
[65.243.74.133
>>80] MAP 192.168.1.9     2939  <- -> 10.0.133.44     40065 
>>[65.243.74.133 80] MAP 192.168.1.9     2938  <- -> 10.0.133.44
>>40064 [216.239.51.95 80] MAP 192.168.1.9     2924  <- ->
10.0.133.44
>>    40050 [64.233.169.99 80] MAP 192.168.1.9     2922  <- -> 
>>10.0.133.44     40048 [64.233.169.99 80] MAP 192.168.1.9     2920  <-
>> -> 10.0.133.44     40046 [64.233.169.147 80] MAP 192.168.1.9    
>> 1031  <- -> 10.0.133.44     40045 [198.6.1.2 53] MAP 192.168.1.9
>> 2884  <- -> 10.0.133.44     40012 [207.159.120.157 80]
>>
>>
>>    
>>
>************************************************************************************
>  
>
>>Here is 6.2
>>Notice in the mappings for port 80 the source port is not being 
>>mapped into the 40000:60000 range. Also notice that the ftp proxy 
>>thought it found something and dumps out some diags.
>>    
>>
>************************************************************************************
>  
>
>>H101490# ipnat -l
>>List of active MAP/Redirect filters:
>>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 proxy port ftp
ftp/tcp
>>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 portmap tcp/udp 
>>40000:60000
>>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32
>>
>>List of active sessions:
>>MAP 192.168.1.88    1397  <- -> 10.0.133.77     1397 
[64.154.83.47 80]
>>MAP 192.168.1.88    1396  <- -> 10.0.133.77     1396  [209.67.78.5
>>80] MAP 192.168.1.88    1395  <- -> 10.0.133.77     1395 
>> [216.168.252.103 443] MAP 192.168.1.88    1394  <- -> 10.0.133.77
>>  1394  [216.168.252.103 443] MAP 192.168.1.88    1393  <- -> 
>>10.0.133.77     1393  [65.243.74.144 80] MAP 192.168.1.88    1392  <-
>> -> 10.0.133.77     1392  [65.243.74.144 80] MAP 192.168.1.88    
>>1378  <- -> 10.0.133.77     1378  [64.233.169.103 80]        proxy
>>ftp/6 use -54 flags 0                proto 6 flags 0 bytes 0 pkts 0 
>>data YES size 312        FTP Proxy:                passok: 1       
Client:
>>                seq 0 (ack 0) len 0 junk 0 cmds 0
>>                buf [\000]
>>        Server:
>>                seq 2b451493 (ack 0) len 0 junk 0 cmds 0
>>                buf [\000]
>>MAP 192.168.1.88    1391  <- -> 10.0.133.77     1391  [65.205.8.52
>>80] MAP 192.168.1.88    1390  <- -> 10.0.133.77     1390 
>> [65.203.229.71 80] MAP 192.168.1.88    1389  <- -> 10.0.133.77
>> 1389  [72.247.8.26 80] MAP 192.168.1.88    1388  <- ->
10.0.133.77
>>   1388  [216.239.51.93 80] MAP 192.168.1.88    1033  <- -> 
>>10.0.133.77     40000 [198.6.1.2 53]
>>
>>--
>>
>>"They that give up essential liberty to obtain temporary safety, 
>>deserve neither liberty nor safety."  (Ben Franklin)
>>
>>"The course of history shows that as a government grows, liberty 
>>decreases."  (Thomas Jefferson)
>>
>>    
>>
>Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32
proxy port
>21 ftp/tcp"
>It`s feature.
>_______________________
>Best regards, 
>VipeR
>
>
>  
>
Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32 proxy
port
21 ftp/tcp"

you know this works but if I use the same line but use "proxy port
ftp"
instead of "proxy port 21" I get:
map rl1 from 192.168.1.0/24 to any port = 5376 -> 10.0.133.77/32 proxy port
5376 ftp/tcp

Go figure.


-- 

"They that give up essential liberty to obtain temporary safety, 
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty 
decreases."  (Thomas Jefferson)

On Wed, 11 Jul 2007 09:42:22 -0400, Stephen Clark wrote
> viper wrote:
> 
> >On Tue, 10 Jul 2007 15:59:46 -0400, Stephen Clark wrote
> >  
> >
> >>Hello List,
> >>
> >>I posted a while ago that our testers of our network appliance were
> >>complaining
> >>that browsing was slower when using our appliance based on 6.x as 
> >>compared to
> >>our appliance using 4.9 FreeBSD.
> >>
> >>Well it turns out they were right! After spending much time trying 
> >>to figure out what was going on we discovered that all http traffic
> >>was being routed thru the ipf ftp proxy module.
> >>
> >>Does anyone know why this is happening?
>
>>********************************************************************************
> >>Here is 4.9
>
>>********************************************************************************
> >>H101491# ipnat -l
> >>List of active MAP/Redirect filters:
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 proxy port
ftp ftp/tcp
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32 portmap
tcp/udp
> >>40000:60000
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.44/32
> >>
> >>List of active sessions:
> >>MAP 192.168.1.9     2949  <- -> 10.0.133.44     40075
[64.154.83.47 80]
> >>MAP 192.168.1.9     2948  <- -> 10.0.133.44     40074
[209.67.78.5
> >>80] MAP 192.168.1.9     2947  <- -> 10.0.133.44     40073 
> >>[216.168.252.103 443] MAP 192.168.1.9     2946  <- ->
10.0.133.44
> >> 40072 [65.243.74.133 80] MAP 192.168.1.9     2945  <- -> 
> >>10.0.133.44     40071 [216.168.252.103 443] MAP 192.168.1.9    
2944
> >> <- -> 10.0.133.44     40070 [66.155.171.116 80] MAP
192.168.1.9
> >>2943  <- -> 10.0.133.44     40069 [64.9.212.6 80] MAP
192.168.1.9
> >> 2942  <- -> 10.0.133.44     40068 [209.104.135.123 80] MAP 
> >>192.168.1.9     2941  <- -> 10.0.133.44     40067
[65.243.74.133 80]
> >>MAP 192.168.1.9     2940  <- -> 10.0.133.44     40066
[65.243.74.133
> >>80] MAP 192.168.1.9     2939  <- -> 10.0.133.44     40065 
> >>[65.243.74.133 80] MAP 192.168.1.9     2938  <- ->
10.0.133.44
> >>40064 [216.239.51.95 80] MAP 192.168.1.9     2924  <- ->
10.0.133.44
> >>    40050 [64.233.169.99 80] MAP 192.168.1.9     2922  <- -> 
> >>10.0.133.44     40048 [64.233.169.99 80] MAP 192.168.1.9     2920 
<-
> >> -> 10.0.133.44     40046 [64.233.169.147 80] MAP 192.168.1.9
> >> 1031  <- -> 10.0.133.44     40045 [198.6.1.2 53] MAP
192.168.1.9
> >> 2884  <- -> 10.0.133.44     40012 [207.159.120.157 80]
> >>
> >>
> >>    
> >>
>
>************************************************************************************
> >  
> >
> >>Here is 6.2
> >>Notice in the mappings for port 80 the source port is not being 
> >>mapped into the 40000:60000 range. Also notice that the ftp proxy 
> >>thought it found something and dumps out some diags.
> >>    
> >>
>
>************************************************************************************
> >  
> >
> >>H101490# ipnat -l
> >>List of active MAP/Redirect filters:
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 proxy port
ftp ftp/tcp
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32 portmap
tcp/udp
> >>40000:60000
> >>map rl1 from 192.168.1.0/24 to any -> 10.0.133.77/32
> >>
> >>List of active sessions:
> >>MAP 192.168.1.88    1397  <- -> 10.0.133.77     1397 
[64.154.83.47 80]
> >>MAP 192.168.1.88    1396  <- -> 10.0.133.77     1396 
[209.67.78.5
> >>80] MAP 192.168.1.88    1395  <- -> 10.0.133.77     1395 
> >> [216.168.252.103 443] MAP 192.168.1.88    1394  <- ->
10.0.133.77
> >>  1394  [216.168.252.103 443] MAP 192.168.1.88    1393  <- ->
> >>10.0.133.77     1393  [65.243.74.144 80] MAP 192.168.1.88    1392 
<-
> >> -> 10.0.133.77     1392  [65.243.74.144 80] MAP 192.168.1.88
> >>1378  <- -> 10.0.133.77     1378  [64.233.169.103 80]       
proxy
> >>ftp/6 use -54 flags 0                proto 6 flags 0 bytes 0 pkts 0
> >>data YES size 312        FTP Proxy:                passok: 1       
Client:
> >>                seq 0 (ack 0) len 0 junk 0 cmds 0
> >>                buf [\000]
> >>        Server:
> >>                seq 2b451493 (ack 0) len 0 junk 0 cmds 0
> >>                buf [\000]
> >>MAP 192.168.1.88    1391  <- -> 10.0.133.77     1391 
[65.205.8.52
> >>80] MAP 192.168.1.88    1390  <- -> 10.0.133.77     1390 
> >> [65.203.229.71 80] MAP 192.168.1.88    1389  <- ->
10.0.133.77
> >> 1389  [72.247.8.26 80] MAP 192.168.1.88    1388  <- ->
10.0.133.77
> >>   1388  [216.239.51.93 80] MAP 192.168.1.88    1033  <- -> 
> >>10.0.133.77     40000 [198.6.1.2 53]
> >>
> >>--
> >>
> >>"They that give up essential liberty to obtain temporary
safety,
> >>deserve neither liberty nor safety."  (Ben Franklin)
> >>
> >>"The course of history shows that as a government grows,
liberty
> >>decreases."  (Thomas Jefferson)
> >>
> >>    
> >>
> >Use "map rl1 from 192.168.1.0/24 to any port=21 ->
10.0.133.77/32 proxy port
> >21 ftp/tcp"
> >It`s feature.
> >_______________________
> >Best regards, 
> >VipeR
> >
> >
> >  
> >
> 
> Use "map rl1 from 192.168.1.0/24 to any port=21 -> 10.0.133.77/32 
> proxy port 21 ftp/tcp"
> 
> you know this works but if I use the same line but use "proxy port
ftp"
> instead of "proxy port 21" I get:
> map rl1 from 192.168.1.0/24 to any port = 5376 -> 10.0.133.77/32 
> proxy port 5376 ftp/tcp
> 
> Go figure.
Again, this is known feature.
The truth is similar to the bug.

_______________________
Best regards, 
VipeR