Port 3128 has been block in LAN…what happen?

syedadi · Aug 13, 2011, 3:01 AM

Can anyone help me solve this, i'v been trying to do many adjustment to my firewall rules, but it never pass..but when i test from my browser, it can view the website from port 3128

my firewall log

my firewall settings

Metu69salemi · Aug 13, 2011, 5:24 AM

Disable or reconfigure squid/squidquard

syedadi · Aug 13, 2011, 8:08 AM

is it has something do with squid? :-X
it is too much to reconfigured the two application….huhu..just ignore it :-[

Metu69salemi · Aug 13, 2011, 7:54 PM

google that port 3128, what is the answer?

stephenw10 · Aug 13, 2011, 9:03 PM

Your firewall rule 'Pass from Proxy' is not doing anything that isn't already covered by the default LAN to any rule.
The real question is: why is traffic on the same subnet even going through the firewall at all?
Note that all the blocked traffic is TCP:FA. Perhaps this is the reason:
http://forum.pfsense.org/index.php?topic=35400.0

What are the devices that are in the firewall logs? Clients? Servers?

Steve

syedadi · Aug 14, 2011, 3:19 PM

@stephenw10:

Your firewall rule 'Pass from Proxy' is not doing anything that isn't already covered by the default LAN to any rule.
The real question is: why is traffic on the same subnet even going through the firewall at all?
Note that all the blocked traffic is TCP:FA. Perhaps this is the reason:
http://forum.pfsense.org/index.php?topic=35400.0

What are the devices that are in the firewall logs? Clients? Servers?

Steve

i don't really understand the answer from the link…

stephenw10 · Aug 14, 2011, 3:52 PM

You have a routing problem. Somehow your traffic is being routed through pfSense even though it should be going directly. Traffic cannot be routed in and out of the same interface, it causes problems such as you are seeing.

Without knowing more about your setup it's impossible to say what's going on.

Are you using Squid on port 3128? Is it in your pfSense machine?

Why have you removed the last octet of the destination IP in your firewall log? It's a local IP. Are they all the same?

One thing that may possibly cause this is if your lan DHCP server is giving out the wrong subnet, e.g. /32.
In this case your clients can only 'see' the gateway and not other local IPs. Hence all traffic is sent via the gateway.

Steve

syedadi · Aug 15, 2011, 5:46 AM

Thanks Steve

The problems solved after i upgrade the box to 2.0-RC3 (i386) built on Fri Aug 12 16:23:11 EDT 2011 version ;D

Yes…the last octet the i removed is the PfSense server private IP...and the port 3128 is the default proxy port in my box.

stephenw10 · Aug 15, 2011, 9:16 AM

Hmm, a bit of a mystery then. Well, at least it's fixed. ;)

Steve

Nachtfalke · Aug 15, 2011, 9:31 AM

I think this has nothing to do with routing problems.
I have these log, too just with port 80 (tranparent proxy).

Jim-p posted in other threads that this a behaviour of SPI (Stateful Packet Inspection) firewalls. The firewall only allows packets/traffic if there is an active state in the firewall table. If there isn't any traffic for a firewall state the the firewall reset this state. if then the website is answering to this "old" connection then the firewall is blocking this because there is no active state in the firewall anymore.

Perhaps this will help you:
http://en.wikipedia.org/wiki/Stateful_firewall

syedadi · Aug 16, 2011, 4:08 AM

@Nachtfalke:

I think this has nothing to do with routing problems.
I have these log, too just with port 80 (tranparent proxy).

Jim-p posted in other threads that this a behaviour of SPI (Stateful Packet Inspection) firewalls. The firewall only allows packets/traffic if there is an active state in the firewall table. If there isn't any traffic for a firewall state the the firewall reset this state. if then the website is answering to this "old" connection then the firewall is blocking this because there is no active state in the firewall anymore.

Perhaps this will help you:
http://en.wikipedia.org/wiki/Stateful_firewall

Nice one….so this happens when user open a browser/80 port traffic, then he/she leave it idle for long time? is that what it mean? Thanks

Nachtfalke · Aug 16, 2011, 10:08 AM

@syedadi:

@Nachtfalke:

I think this has nothing to do with routing problems.
I have these log, too just with port 80 (tranparent proxy).

Jim-p posted in other threads that this a behaviour of SPI (Stateful Packet Inspection) firewalls. The firewall only allows packets/traffic if there is an active state in the firewall table. If there isn't any traffic for a firewall state the the firewall reset this state. if then the website is answering to this "old" connection then the firewall is blocking this because there is no active state in the firewall anymore.

Perhaps this will help you:
http://en.wikipedia.org/wiki/Stateful_firewall

Nice one….so this happens when user open a browser/80 port traffic, then he/she leave it idle for long time? is that what it mean? Thanks

Yes, this is how I understad it from the text and from reading in the forum.
And port 3128 is squid because squid opend the connection for the user.

stephenw10 · Aug 16, 2011, 11:42 AM

This can also be caused by asymmetric routing as JimP said in the post I linked to.
If, for instance, you have outgoing http requests going via Squid but incoming replies going directly to the client then pfSense will see those replies unrequested, no state exists for them, and will block them.
This should never happen if you have Squid configured correctly.

Steve

Nachtfalke · Aug 16, 2011, 11:54 AM

@stephenw10:

This can also be caused by asymmetric routing as JimP said in the post I linked to.
If, for instance, you have outgoing http requests going via Squid but incoming replies going directly to the client then pfSense will see those replies unrequested, no state exists for them, and will block them.
This should never happen if you have Squid configured correctly.

Steve

Of yourse you are right! But I think this would mean that the client cannot browse the web (correctly).
But browsing the web works - as far as I understand him.

stephenw10 · Aug 16, 2011, 12:03 PM

I agree. I can't see how this would happen, I can't even think of a way to do it deliberately! ::)
However since it seems to be related to Squid it probably shouldn't be ruled out completely.

Steve

Edit: Perhaps with multiwan, do you have more than one WAN?

Nachtfalke · Aug 16, 2011, 12:16 PM

@stephenw10:

I agree. I can't see how this would happen, I can't even think of a way to do it deliberately! ::)
However since it seems to be related to Squid it probably shouldn't be ruled out completely.

Steve

Edit: Perhaps with multiwan, do you have more than one WAN?

The firewall rules are showing just the default gateway ( * ) and no gateway group.

stephenw10 · Aug 16, 2011, 1:32 PM

@Nachtfalke:

The firewall rules are showing just the default gateway ( * ) and no gateway group.

Good point!
Well if it's not a multiwan with squid setup, which seems to be a common source of problems then I would suggest:
Squid setup incorrectly?
Bad web application?
Something really obscure!

Steve

Nachtfalke · Aug 16, 2011, 2:33 PM

Take a look at this thread and the first few posts of "cmb"

http://forum.pfsense.org/index.php/topic,39632.0.html

stephenw10 · Aug 16, 2011, 5:43 PM

Useful post.
It doesn't answer the original question though.
The firewall is blocking FIN ACK packets, perhaps legitemately. Why?
It looks like the clients are sending FIN ACK packets to Squid expecting an ACK packet in return but are being blocked.
Since this is only used for gracefully finishing a TCP session the clients are still able to see webpages.
Odd that more Squid users aren't complaining. :-\

Steve

jimp · Aug 18, 2011, 3:27 PM

Squid may be closing the connections early, and pf may be removing the states due to that. The blocks you are seeing are just traffic that arrives after the state has already been removed. Not really necessary for normal operation, people wouldn't even notice that in most cases.