Outgoings connection are blocked but no logs are shown?!



  • Hi All,

    I'm having a little problem.

    Usually when I had an application that didn't work behind the firewall, I could check the logs and could see which ports were blocked.

    Nowadays, I get applications timing out, telling me they cannot get internet and no logs whatsoever.

    Here's a list of some applications that don't work.

    • Itunes timing out while trying to connect to Apple Store
    • Kaspersky Antivirus Security 2011 timing out while trying to activate.
    • Kaspersky Antivirus Security 2011 timing out while trying to update databases.
    • Symantec Antivirus timing out while not updating.
    • Stacraft 2 not updating
    • Radiotracker timing out
    • Windows Update timing out
    • Internet Explorer not connecting

    What's funny is that I still can do a lot. Here are some examples:

    • Firefox works unlike IE !? (nope, no strange proxies, etc, no viruses)
    • Steam is working fine (Half-life, etc)
    • Skype is working fine
    • uTorrent is working fine

    I even get thoses problems under linux (tried ubuntu): for example tried the kaspersky antivirus live cd which is linux and could not update the antivirus database but could use Firefox.

    Note that I have 3 computers behind that firewall and they all have the same symptoms.

    Also note that everything works fine when plugin in directly into the modem.

    I had problem in the past with packages such as Country Block and IP-Blocklist that killed my internet connection. I uninstalled them. Maybe they are still corrupting my rules or something.

    I might try reinstalling a stock pfSense…

    Here's my /tmp/rules.debug (edited) if that can help:

    $ cat /tmp/rules.debug

    System Aliases

    loopback = "{ lo0 }"
    lan = "{ vr2  }"
    wan = "{ vr3   }"
    enc0 = "{ enc0 }"

    User Aliases

    AllHosts = "{ AAA.AAA.AAA.100 AAA.AAA.AAA.101 AAA.AAA.AAA.102 }"
    BlizzardDownloader = "{ 1119 3724 4000 6112:6114 6881:6999 }"
    FBIPs = "{ BBB.BBB.BBB.BBB }"
    FBPrintServer = "{ 9100 }"
    Growl = "{ 23053 }"
    Kaspersky = "{ 7022 7024 2001 }"
    NewsLeecher = "{ 23 80 119 }"
    NewsLeecherIPs = "{ 199.187.125.171 199.187.125.172 }"
    NewsgroupsSSL = "{ 563 }"
    SVN = "{ 3690 }"
    Starcraft2 = "{ 1119:1120 }"
    Steam = "{ 27000:27039 1200 7024 }"
    SteamPing = "{ 2400:2600 27005 }"
    host0 = "{ AAA.AAA.AAA.100 }"
    host2 = "{ AAA.AAA.AAA.102 }"
    host3 = "{ AAA.AAA.AAA.101 }"
    pfSense = "{ AAA.AAA.AAA.254 }"
    uTorrentIncoming = "{ 12345 }"
    uTorrentOutgoing = "{ 12345:12346 }"

    set loginterface vr3
    set loginterface vr2
    set optimization normal

    set skip on pfsync0
    scrub all random-id  fragment reassemble

    nat-anchor "pftpx/"
    nat-anchor "natearly/
    "
    nat-anchor "natrules/*"

    FTP proxy

    rdr-anchor "pftpx/*"

    Outbound NAT rules

    nat on $wan from AAA.AAA.AAA.0/24 port 500 to any port 500 -> (vr3) port 500
    nat on $wan from AAA.AAA.AAA.0/24 port 5060 to any port 5060 -> (vr3) port 5060
    nat on $wan from AAA.AAA.AAA.0/24 to any -> (vr3) port 1024:65535

    #SSH Lockout Table
    table <sshlockout>persist

    Load balancing anchor - slbd updates

    rdr-anchor "slb"

    FTP Proxy/helper

    table <vpns>{    }
    no rdr on vr2 proto tcp from any to <vpns>port 21
    rdr on vr2 proto tcp from any to any port 21 -> 127.0.0.1 port 8021

    NAT Inbound Redirects

    rdr on vr3 proto { tcp udp } from any to III.III.III.III port { 12345 } -> AAA.AAA.AAA.100
    rdr on vr3 proto tcp from any to III.III.III.III port { 23053 } -> AAA.AAA.AAA.100

    IMSpector rdr anchor

    rdr-anchor "imspector"

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    anchor "ftpsesame/*"
    anchor "firewallrules"

    We use the mighty pf, we cannot be fooled.

    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    snort2c

    table <snort2c>persist
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"

    Block all IPv6

    block in quick inet6 all
    block out quick inet6 all

    loopback

    anchor "loopback"
    pass in quick on $loopback all label "pass loopback"
    pass out quick on $loopback all label "pass loopback"

    package manager early specific hook

    anchor "packageearly"

    carp

    anchor "carp"

    permit wan interface to ping out (ping_hosts.sh)

    pass quick proto icmp from III.III.III.III to any keep state

    NAT Reflection rules

    allow access to DHCP server on LAN

    anchor "dhcpserverlan"
    pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
    pass in quick on $lan proto udp from any port = 68 to AAA.AAA.AAA.254 port = 67 label "allow access to DHCP server on LAN"
    pass out quick on $lan proto udp from AAA.AAA.AAA.254 port = 67 to any port = 68 label "allow access to DHCP server on LAN"

    allow our DHCP client out to the WAN

    anchor "wandhcp"
    pass out quick on $wan proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan"
    block in log quick on $wan proto udp from any port = 67 to AAA.AAA.AAA.0/24 port = 68 label "block dhcp client out wan"

    LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)

    antispoof for vr2

    anchor "spoofing"

    block anything from private networks on WAN interface

    anchor "spoofing"
    antispoof for $wan
    block in log quick on $wan from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $wan from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $wan from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $wan from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

    Support for allow limiting of TCP connections by establishment rate

    anchor "limitingesr"
    table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"

    block bogon networks

    http://www.cymru.com/Documents/bogon-bn-nonagg.txt

    anchor "wanbogons"
    table <bogons>persist file "/etc/bogons"
    block in log quick on $wan from <bogons>to any label "block bogon networks from wan"

    pass traffic from firewall -> out

    anchor "firewallout"
    pass out quick on vr3 all keep state label "let out anything from firewall host itself"
    pass out quick on vr2 all keep state label "let out anything from firewall host itself"
    pass out quick on $enc0 keep state label "IPSEC internal host to host"

    make sure the user cannot lock himself out of the webGUI or SSH

    anchor "anti-lockout"
    pass in quick on vr2 from any to AAA.AAA.AAA.254 keep state label "anti-lockout web rule"

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

    anchor "ftpproxy"
    anchor "pftpx/*"

    User-defined aliases follow

    table <pfsense>{  AAA.AAA.AAA.254 }
    table <host0>{  AAA.AAA.AAA.100 }

    User-defined rules follow

    pass in quick on $lan proto { tcp udp } from <pfsense>to any port = 53 keep state  label "USER_RULE: Allow outgoing DNS for pfSense DNS forwarder"
    block in log quick on $lan proto { tcp udp } from any to any port = 53  label "USER_RULE: Block outgoing DNS in case of rogue DNS servers"
    pass in quick on $lan proto tcp from AAA.AAA.AAA.0/24 to any port = 80 keep state  label "USER_RULE: Allow HTTP"
    pass in quick on $lan proto tcp from AAA.AAA.AAA.0/24 to any port = 443 keep state  label "USER_RULE: Allow HTTPS"
    pass in quick on $lan proto { tcp udp } from <host0>to any keep state  label "USER_RULE: Allow all outgoing traffic for host0"

    VPN Rules

    pass in quick on vr2 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on vr2 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
    pass in quick on vr3 inet proto tcp from port 20 to (vr3) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"

    enable ftp-proxy

    IMSpector

    anchor "imspector"

    uPnPd

    anchor "miniupnpd"

    #---------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log quick all label "Default deny rule"
    block out log quick all label "Default deny rule"</host0></pfsense></host0></pfsense></sshlockout></bogons></bogons></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></sshlockout>


  • Rebel Alliance Developer Netgate

    Sounds like it could be an MTU issue, try lowering your WAN MTU a bit, see if it clears up



  • Hi jimp,

    Thanks for the fast reply.

    I tried the following MTUs: 1500, 1495, 1492, 1460 and same problem. I rebooted pfsense and disabled/activated my NIC between the tests to be sure.

    I think my problem can be summarized as follows:

    I try to connect to google.com using different browsers, not software firewall, antivirus or proxies enabled whatsoever
    Firefox is working as intended. Opens instantly the web page.
    Internet Explorer is trying to connect forever. Waiting for an answer from the web, then timeout.
    Chrome same problem as IE.
    Opera working same as Firefox.

    Thanks god for Firefox and Opera! :D

    Tried with address ips in the url bar, same problem.

    Also, I can ping any website without probem.


  • Rebel Alliance Developer Netgate

    Checked the browser proxy settings in IE? Some other apps key off of that.



  • Yes, no proxies in the proxy tab.


  • Rebel Alliance Developer Netgate

    Then you'll probably have to do a packet capture (Diagnostics > Packet Capture) on WAN and LAN for a request that works and a request that fails to compare them and see what might be going wrong.



  • jimp,

    I captured the packets as you suggested:

    Did the test on IE and Firefox separately connecting to pfsense.org (69.64.6.21)

    Here are the results:

    IE

    Firefox

    The IE capture is talking about something called wpad. I searched google and it seems that's Web Proxy Autodiscovery Protocol. Not sure what that's for but will read the wiki to understand (http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol)

    Another funny thing, while trying to upload the images on http://imageshack.us/. Upload did not work with the standard upload on the main webpage (ajax?) http://imageshack.us/ but worked when using the upload function when clicking on the link "Can't Upload? Try This" (http://imageshack.us/?no_multi=1). That's the same problem that's my network is having.


  • Rebel Alliance Developer Netgate

    Something is announcing itself as a proxy, and IE is set for autoconfigure, and happily using those settings.

    Uncheck the box in IE's proxy settings for automatic



  • Yep it's working now for both IE and Chrome (since it's using IE proxy parameters)

    Great!

    Anyway, what do you think can announce itself as a proxy?

    A badly uninstalled squid or havp? I tried them before and uninstalled them.


  • Rebel Alliance Developer Netgate

    It would have to be explicitly setup in DNS to respond to "wpad.<your domain="" name="">" (or some variations, check the wikipedia doc).

    It's not something that can be done accidentally.</your>


Log in to reply