Outgoings connection are blocked but no logs are shown?!

mastablastaz

Hi All,

I'm having a little problem.

Usually when I had an application that didn't work behind the firewall, I could check the logs and could see which ports were blocked.

Nowadays, I get applications timing out, telling me they cannot get internet and no logs whatsoever.

Here's a list of some applications that don't work.

• Itunes timing out while trying to connect to Apple Store
• Kaspersky Antivirus Security 2011 timing out while trying to activate.
• Kaspersky Antivirus Security 2011 timing out while trying to update databases.
• Symantec Antivirus timing out while not updating.
• Stacraft 2 not updating
• Radiotracker timing out
• Windows Update timing out
• Internet Explorer not connecting

What's funny is that I still can do a lot. Here are some examples:

• Firefox works unlike IE !? (nope, no strange proxies, etc, no viruses)
• Steam is working fine (Half-life, etc)
• Skype is working fine
• uTorrent is working fine

I even get thoses problems under linux (tried ubuntu): for example tried the kaspersky antivirus live cd which is linux and could not update the antivirus database but could use Firefox.

Note that I have 3 computers behind that firewall and they all have the same symptoms.

Also note that everything works fine when plugin in directly into the modem.

I had problem in the past with packages such as Country Block and IP-Blocklist that killed my internet connection. I uninstalled them. Maybe they are still corrupting my rules or something.

I might try reinstalling a stock pfSense…

Here's my /tmp/rules.debug (edited) if that can help:

$ cat /tmp/rules.debug

System Aliases

loopback = "{ lo0 }"
lan = "{ vr2  }"
wan = "{ vr3   }"
enc0 = "{ enc0 }"

User Aliases

AllHosts = "{ AAA.AAA.AAA.100 AAA.AAA.AAA.101 AAA.AAA.AAA.102 }"
BlizzardDownloader = "{ 1119 3724 4000 6112:6114 6881:6999 }"
FBIPs = "{ BBB.BBB.BBB.BBB }"
FBPrintServer = "{ 9100 }"
Growl = "{ 23053 }"
Kaspersky = "{ 7022 7024 2001 }"
NewsLeecher = "{ 23 80 119 }"
NewsLeecherIPs = "{ 199.187.125.171 199.187.125.172 }"
NewsgroupsSSL = "{ 563 }"
SVN = "{ 3690 }"
Starcraft2 = "{ 1119:1120 }"
Steam = "{ 27000:27039 1200 7024 }"
SteamPing = "{ 2400:2600 27005 }"
host0 = "{ AAA.AAA.AAA.100 }"
host2 = "{ AAA.AAA.AAA.102 }"
host3 = "{ AAA.AAA.AAA.101 }"
pfSense = "{ AAA.AAA.AAA.254 }"
uTorrentIncoming = "{ 12345 }"
uTorrentOutgoing = "{ 12345:12346 }"

set loginterface vr3
set loginterface vr2
set optimization normal

set skip on pfsync0
scrub all random-id  fragment reassemble

nat-anchor "pftpx/"
nat-anchor "natearly/"
nat-anchor "natrules/*"

FTP proxy

rdr-anchor "pftpx/*"

Outbound NAT rules

nat on $wan from AAA.AAA.AAA.0/24 port 500 to any port 500 -> (vr3) port 500
nat on $wan from AAA.AAA.AAA.0/24 port 5060 to any port 5060 -> (vr3) port 5060
nat on $wan from AAA.AAA.AAA.0/24 to any -> (vr3) port 1024:65535

#SSH Lockout Table
table <sshlockout>persist

Load balancing anchor - slbd updates

rdr-anchor "slb"

FTP Proxy/helper

table <vpns>{    }
no rdr on vr2 proto tcp from any to <vpns>port 21
rdr on vr2 proto tcp from any to any port 21 -> 127.0.0.1 port 8021

NAT Inbound Redirects

rdr on vr3 proto { tcp udp } from any to III.III.III.III port { 12345 } -> AAA.AAA.AAA.100
rdr on vr3 proto tcp from any to III.III.III.III port { 23053 } -> AAA.AAA.AAA.100

IMSpector rdr anchor

rdr-anchor "imspector"

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "ftpsesame/*"
anchor "firewallrules"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

snort2c

table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

Block all IPv6

block in quick inet6 all
block out quick inet6 all

loopback

anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"

package manager early specific hook

anchor "packageearly"

carp

anchor "carp"

permit wan interface to ping out (ping_hosts.sh)

pass quick proto icmp from III.III.III.III to any keep state

NAT Reflection rules

allow access to DHCP server on LAN

anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to AAA.AAA.AAA.254 port = 67 label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from AAA.AAA.AAA.254 port = 67 to any port = 68 label "allow access to DHCP server on LAN"

allow our DHCP client out to the WAN

anchor "wandhcp"
pass out quick on $wan proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan"
block in log quick on $wan proto udp from any port = 67 to AAA.AAA.AAA.0/24 port = 68 label "block dhcp client out wan"

LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)

antispoof for vr2

anchor "spoofing"

block anything from private networks on WAN interface

anchor "spoofing"
antispoof for $wan
block in log quick on $wan from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $wan from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $wan from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $wan from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

Support for allow limiting of TCP connections by establishment rate

anchor "limitingesr"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"

block bogon networks

http://www.cymru.com/Documents/bogon-bn-nonagg.txt

anchor "wanbogons"
table <bogons>persist file "/etc/bogons"
block in log quick on $wan from <bogons>to any label "block bogon networks from wan"

pass traffic from firewall -> out

anchor "firewallout"
pass out quick on vr3 all keep state label "let out anything from firewall host itself"
pass out quick on vr2 all keep state label "let out anything from firewall host itself"
pass out quick on $enc0 keep state label "IPSEC internal host to host"

make sure the user cannot lock himself out of the webGUI or SSH

anchor "anti-lockout"
pass in quick on vr2 from any to AAA.AAA.AAA.254 keep state label "anti-lockout web rule"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

anchor "ftpproxy"
anchor "pftpx/*"

User-defined aliases follow

table <pfsense>{  AAA.AAA.AAA.254 }
table <host0>{  AAA.AAA.AAA.100 }

User-defined rules follow

pass in quick on $lan proto { tcp udp } from <pfsense>to any port = 53 keep state  label "USER_RULE: Allow outgoing DNS for pfSense DNS forwarder"
block in log quick on $lan proto { tcp udp } from any to any port = 53  label "USER_RULE: Block outgoing DNS in case of rogue DNS servers"
pass in quick on $lan proto tcp from AAA.AAA.AAA.0/24 to any port = 80 keep state  label "USER_RULE: Allow HTTP"
pass in quick on $lan proto tcp from AAA.AAA.AAA.0/24 to any port = 443 keep state  label "USER_RULE: Allow HTTPS"
pass in quick on $lan proto { tcp udp } from <host0>to any keep state  label "USER_RULE: Allow all outgoing traffic for host0"

VPN Rules

pass in quick on vr2 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on vr2 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on vr3 inet proto tcp from port 20 to (vr3) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"

enable ftp-proxy

IMSpector

anchor "imspector"

uPnPd

anchor "miniupnpd"

#---------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log quick all label "Default deny rule"
block out log quick all label "Default deny rule"</host0></pfsense></host0></pfsense></sshlockout></bogons></bogons></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></sshlockout>

jimp

Sounds like it could be an MTU issue, try lowering your WAN MTU a bit, see if it clears up

mastablastaz

Hi jimp,

Thanks for the fast reply.

I tried the following MTUs: 1500, 1495, 1492, 1460 and same problem. I rebooted pfsense and disabled/activated my NIC between the tests to be sure.

I think my problem can be summarized as follows:

I try to connect to google.com using different browsers, not software firewall, antivirus or proxies enabled whatsoever
Firefox is working as intended. Opens instantly the web page.
Internet Explorer is trying to connect forever. Waiting for an answer from the web, then timeout.
Chrome same problem as IE.
Opera working same as Firefox.

Thanks god for Firefox and Opera! :D

Tried with address ips in the url bar, same problem.

Also, I can ping any website without probem.

jimp

Checked the browser proxy settings in IE? Some other apps key off of that.

mastablastaz

Yes, no proxies in the proxy tab.

jimp

Then you'll probably have to do a packet capture (Diagnostics > Packet Capture) on WAN and LAN for a request that works and a request that fails to compare them and see what might be going wrong.

mastablastaz

jimp,

I captured the packets as you suggested:

Did the test on IE and Firefox separately connecting to pfsense.org (69.64.6.21)

Here are the results:

IE

Firefox

The IE capture is talking about something called wpad. I searched google and it seems that's Web Proxy Autodiscovery Protocol. Not sure what that's for but will read the wiki to understand (http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol)

Another funny thing, while trying to upload the images on http://imageshack.us/. Upload did not work with the standard upload on the main webpage (ajax?) http://imageshack.us/ but worked when using the upload function when clicking on the link "Can't Upload? Try This" (http://imageshack.us/?no_multi=1). That's the same problem that's my network is having.

jimp

Something is announcing itself as a proxy, and IE is set for autoconfigure, and happily using those settings.

Uncheck the box in IE's proxy settings for automatic

mastablastaz

Yep it's working now for both IE and Chrome (since it's using IE proxy parameters)

Great!

Anyway, what do you think can announce itself as a proxy?

A badly uninstalled squid or havp? I tried them before and uninstalled them.

jimp

It would have to be explicitly setup in DNS to respond to "wpad.<your domain="" name="">" (or some variations, check the wikipedia doc).

It's not something that can be done accidentally.</your>