• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Dropbox: Pf is blocking it, even though default is allow for outgoing LAN

Scheduled Pinned Locked Moved Firewalling
9 Posts 4 Posters 7.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    MrsPotter
    last edited by Jan 16, 2012, 9:32 PM

    Hi,

    I'm having trouble with DropBox - I'd like to allow it through the firewall, but it gets Blocked. I've got a default allow rule allowing all LAN subnets to any destination via any port. So I'm puzzled.

    Any ideas?

    Rebooted, reset the states etc. No change.

    Also, Pf suddenly started blocking Nortel VPN client - but I made not changes to it. Odd…

    Cheers,

    MrsPotter

    1 Reply Last reply Reply Quote 0
    • C
      conehead
      last edited by Jan 18, 2012, 9:22 PM

      Here that just works with port 80 and port 443 i checked

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by Jan 18, 2012, 9:38 PM

        I run dropbox on multiple machines behind pfsense - no issues on any of them.

        How do you know pfsense is blocking?  Are you seeing something logged?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          MrsPotter
          last edited by Jan 21, 2012, 10:41 PM

          Ok the scenario is this:

          Squid run non-transparent, and each user has a cache.pac file specified in there browser. Thus all browsers know where the proxy is and at which port.

          To prevent users bypassing the proxy, I block port 80. Now users are still hapily browsing, basically unaware of the proxy - except dropbox promptly stops working.

          So it seems it doesn't pass through the proxy, but I see dropbox entries in the proxy log. Dropbox is supposed to use the browsers LAN settings and is setup to do that. But it seems not to work. I don't want to explicitly point the dropbox to the proxy - since it is used to allow roaming users access to their data. I've found our DSL connection too slow to share a SAMBA drive accessed via VPN. Our DSL upload speed is a few hundred Kbps so I can understand the slowness. But dropbox does the job well.

          As an interim solution I explicitly passed the IP ranges that dropbox currently use. This solves the problem, but I assume these IP will change with time - so would like to get to the bottom of this.

          Ideas are appreciated.

          1 Reply Last reply Reply Quote 0
          • M
            MrsPotter
            last edited by Jan 21, 2012, 11:01 PM

            Re-reading my first post I didn't specified the above scenario properly. So my apologies.

            @conehead - indeed dropbox only uses ports 80 and 443

            @johnpoz - I see loads of firewall hits for dropbox hosts, even if dropbox is working perfectly - I suspect is due to what is described on the page below:

            http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Jan 22, 2012, 2:39 PM

              "I explicitly passed the IP ranges that dropbox currently use"

              If your worried about their ips changing just use an alias for the domain they use.

              And I agree are you firewall logs showing the blocks as acks or fin – prob a dropped connection like stated in that link.  Those are common and will be seen if you have connections that drop, I see quite a few of them when you reboot your pfsense box for example as it comes back up.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • M
                MrsPotter
                last edited by Jan 22, 2012, 4:27 PM

                Thanks for the pointer regarding domain alias. I wasn't aware that one could specify domains, I was under the impression that only IPs could be specified.

                Thinking about it - this hint will make many of my firewall rules a lot simpler.

                1 Reply Last reply Reply Quote 0
                • M
                  marcelloc
                  last edited by Jan 22, 2012, 5:51 PM

                  @MrsPotter:

                  Thanks for the pointer regarding domain alias. I wasn't aware that one could specify domains, I was under the impression that only IPs could be specified.

                  Thinking about it - this hint will make many of my firewall rules a lot simpler.

                  domains hosts, not full domains.  ;)

                  app.facebook.com is ok but facebook.com or *.facebook.com will not work.

                  I block port 80. Now users are still hapily browsing, basically unaware of the proxy

                  You have to block everything, including 443 to avoid users bypassing proxy with some webproxy with ssl or any tool that "jumps" over firewall.

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by Jan 22, 2012, 6:14 PM

                    Good point, but watching the traffic for a bit should show you the fqdn it uses.

                    So I exited dropbox, flushed my local dns cache and then did a quick sniff while I restarted dropbox.. I showed these queries

                    client84, client-lb and notify1.dropbox.com

                    The client84 could be something random for sure.  I would fireup dnstop or something on your network and have it logging all the queries for anything.dropbox.com and then creating an alias including all of them.

                    You might want to contact dropbox for all the possible dns queries their client might do, etc.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received