Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Impossible block microsoft or akamai packet tcp:s

    Scheduled Pinned Locked Moved Firewalling
    14 Posts 2 Posters 8.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      goofydxp
      last edited by

      impossible to block this packet, there isn't the rule name that log this packet in system log.
      The destination is windows domain always. Microsoft jump rule filter?
      Can anybody give me information about this ? my version is 1.2.3
      The first rule is passs from lan to any port 80-443 and log is enabled
      second rule block from lan to any, but in one day i always find log as this.

      Jun 17 05:27:45 LAN 10.10.20.57:1754 77.67.22.170:52525 TCP:S
        Jun 17 05:27:42 LAN 10.10.20.57:1753 77.67.22.170:50702 TCP:S
        Jun 17 05:27:38 LAN 10.10.20.57:1752 77.67.22.170:65118 TCP:S
        Jun 17 05:27:34 LAN 10.10.20.57:1751 77.67.22.170:63357 TCP:S
        Jun 17 05:27:29 LAN 10.10.20.57:1750 77.67.22.170:61751 TCP:S
        Jun 17 05:27:26 LAN 10.10.20.57:1749 77.67.22.170:60322 TCP:S

      1 Reply Last reply Reply Quote 0
      • G
        goofydxp
        last edited by

        i insert also raw mode log, can anybody help me to undestand this raw mode?

        Jun 17 13:42:38 pf: 965697 rule 77.543.287.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 16076, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.64.1877 > 77.67.22.171.58539: S, cksum 0xe322 (correct), 1361764249:1361764249(0) win 65535 <mss 1460,nop,nop,sackok="">Jun 17 13:42:37 pf: 746127 rule 77.543.287.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 30089, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.64.1876 > 77.67.22.171.57563: S, cksum 0x7f23 (correct), 2850877095:2850877095(0) win 65535 <mss 1460,nop,nop,sackok="">Jun 17 13:42:36 pf: 763344 rule 77.543.287.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 728, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.64.1875 > 77.67.22.171.56639: S, cksum 0x5284 (correct), 960532368:960532368(0) win 65535 <mss 1460,nop,nop,sackok="">Act Time If Source Destination Proto
          Jun 17 13:42:38 LAN 10.10.21.64:1877 77.67.22.171:58539 TCP:S
          Jun 17 13:42:37 LAN 10.10.21.64:1876 77.67.22.171:57563 TCP:S
          Jun 17 13:42:36 LAN 10.10.21.64:1875 77.67.22.171:56639 TCP:S
          Jun 17 13:42:35 LAN 10.10.21.64:1874 77.67.22.171:55934 TCP:S
          Jun 17 13:42:35 LAN 10.10.21.64:1873 77.67.22.171:55224 TCP:S</mss></mss></mss>

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Those may actually be from the FTP proxy.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • G
            goofydxp
            last edited by

            if you intend
            Disable the userland FTP-Proxy application
            now i check this option in lan and in opt1, tomorrow i will see the log and i will notify if this is the solution. Thanks.

            1 Reply Last reply Reply Quote 0
            • G
              goofydxp
              last edited by

              with FTP Helper Checked in lan and in opt1 (3th NIC)

              always try to contact microsoft site but this time is blocked :)

              now the log is changed, can you explain this message?

              Blocked Jun 17 18:18:29 LAN 10.10.21.64:4679 207.46.16.233:80 TCP:S

              the rule that triggered this action is:

              @178 pass in quick on vr0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"

              THANKS

              1 Reply Last reply Reply Quote 0
              • G
                goofydxp
                last edited by

                ok as the previouse post i confirm that now the packet microsoft are stopped, seem that the packet use ftp helper to bypass rule block ftp and other port.
                So now with ftp helper disable the packer are in sytem log as blocked, before with ftp helper unchecked (enabled) the packet pass all list of block rule. May be a bug?
                Now the situation is i can block microsoft packet, with ftp helper checked (disabled), but i can not use now filezilla in lan client !!!!!! :-[
                I'm waiting for solution in specified new post!

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  You seem to have misunderstood my last message, though it was a bit brief so I should have explained it better:

                  The packets you are trying to block are legitimate connections required for FTP to work. These connections are allowed by the FTP proxy so that active FTP can work for external FTP sites.

                  Nothing is being bypassed, it is being allowed on purpose so that FTP functions. The IPs in question are the FTP servers you are connecting to.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • G
                    goofydxp
                    last edited by

                    HELP MEEEEEE :)

                    i've not ftp proxy in my lan, i've only client with filezilla client, i create rule to pass from lan (alias ip lan list) to any ftp site (alias port destination) , i create second rule to stop all from any to any in lan interface (vr0).
                    Ftp helper is unchecked in lan and wan (enabled) without i can read list folder with ftp client filezilla and other.
                    But now i read in system log this, and if i click in icon act i read in message box no rule name! Why no rule name? why packet microsoft pass block any to any rule and not logged with rule name?

                    The rule that triggered this action is:

                    pass  Jun 22 08:42:46 LAN 10.10.21.64:2842 77.67.22.170:59702 TCP:S
                    pass  Jun 22 08:42:45 LAN 10.10.21.64:2841 77.67.22.170:58522 TCP:S
                    pass  Jun 22 08:42:44 LAN 10.10.21.64:2840 77.67.22.170:57589 TCP:S

                    raw mode

                    Jun 22 08:42:46 pf: 1. 033757 rule 77.545.108.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 3035, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.64.2842 > 77.67.22.170.59702: S, cksum 0xfae9 (correct), 463140115:463140115(0) win 65535 <mss 1460,nop,nop,sackok="">Jun 22 08:42:45 pf: 979078 rule 77.545.108.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 10477, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.64.2841 > 77.67.22.170.58522: S, cksum 0x1144 (correct), 3449237849:3449237849(0) win 65535 <mss 1460,nop,nop,sackok="">Jun 22 08:42:44 pf: 871623 rule 77.545.108.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 17824, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.64.2840 > 77.67.22.170.57589: S, cksum 0xe526 (correct), 2448202951:2448202951(0) win 65535</mss></mss>

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Those are still dynamically added rules. Do you have UPnP enabled? Sure you don't have the FTP proxy enabled on any interface? What packages are you using?

                      If you can catch one as it happens, go to Diagnostics > Command and run:
                      pfctl -vvsr

                      and

                      pfctl -vvsT

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • G
                        goofydxp
                        last edited by

                        yes it happens again, akamay microsoft packet found and no rule name.

                        Jun 22 16:00:57 pf: 936200 rule 77.545.131.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 30083, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.10.3730 > 77.67.22.171.55274: S, cksum 0x8bb4 (correct), 1338457637:1338457637(0) win 65535 <mss 1460,nop,nop,sackok="">Jun 22 16:00:57 pf: 1. 027930 rule 77.545.131.0/0(match): pass in on vr0: (tos 0x0, ttl 128, id 5574, offset 0, flags [DF], proto TCP (6), length 48) 10.10.21.10.3729 > 77.67.22.171.54494: S, cksum 0x3902 (correct), 693418583:693418583(0) win 65535 <mss 1460,nop,nop,sackok="">command executed and now? what i need to check ? after my last block all rule, the other automatic rule has 0 packet and 0 byte

                        @179 block drop in log quick on vr0 from localsubnet:1to any label "USER_RULE: 200 localsubnet blocco lo sconosciuto e lo loggo"
                          [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
                          [ Inserted: uid 0 pid 15987 ]
                        @180 pass in quick on vr0 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
                          [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
                          [ Inserted: uid 0 pid 15987 ]
                        @181 pass in quick on vr0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
                          [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
                          [ Inserted: uid 0 pid 15987 ]
                        @182 pass in quick on dc0 inet proto tcp from any port = ftp-data to (dc0:1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"
                          [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
                          [ Inserted: uid 0 pid 15987 ]
                        @183 pass in quick on msk0 inet proto tcp from any to 127.0.0.1 port = 8022 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
                          [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
                          [ Inserted: uid 0 pid 15987 ]
                        @184 pass in quick on msk0 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
                          [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
                          [ Inserted: uid 0 pid 15987 ]
                        @185 anchor "imspector" all
                          [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
                          [ Inserted: uid 0 pid 15987 ]
                        @186 anchor "miniupnpd" all
                          [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
                          [ Inserted: uid 0 pid 15987 ]
                        @187 block drop in log quick all label "Default deny rule"
                          [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
                          [ Inserted: uid 0 pid 15987 ]
                        @188 block drop out log quick all label "Default deny rule"
                          [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
                          [ Inserted: uid 0 pid 15987 ]</localsubnet:1></mss></mss>

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Before you chase anything else, the other questions still need answering:

                          Do you have UPnP enabled?

                          Is the FTP Proxy enabled on any other interface? (Such as WAN)

                          What other packages and services do you have enabled?

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • G
                            goofydxp
                            last edited by

                            uPnp disabled, on windows machine work on different port that we have seen in log

                            ftp helper is enabled only in lan because without i can't use filezilla client

                            i'have not FTP Proxy server in my lan and in pfsense firewall

                            standard package normal installalation, There are no packages currently installed.

                            thanks jimp for your support

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              FTP helper is the FTP proxy. They are the same thing. That is what is allowing those packets.

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • G
                                goofydxp
                                last edited by

                                and my rule block any to any is first of all !!!

                                I tried to disable ftp helper,create specific rule to open  destination port only to specific client, but is impossible to read list of folder ftp server !

                                So is possible enable ftp helper only to an alias (ip list of client that can use ftp) ?

                                :(

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.