|
|||
facebook network issue
I'm running a pf firewall for our office and I just noticed that we can't get to facebook.
I get: This site can’t be reached The connection was reset. In Chrome. Other sites are fine. Any help debugging this is greatly appreciated. Since we are closed it's not a problem now but will be when people come back. Thanks in advance. |
|
||||
I am not a expert on PF at all, but even if I was, without better details I can not really even guess ,...
My thoughts are, if you showed us your pf.conf file, someone more experienced might see what is wrong. Also if there is one, your "rule set " would be relevant,...There is this thread :http://daemonforums.org/showthread.php?t=8145, asking how to block FaceBook, it may still be of use to you, in reverse, instead of adding the block and rule set, you will remove any thing blocking face book. Quote:
===edited=== Also if you have a /etc/pf.blocked.ip.conf file, it might have the face book IP's in it,...check that.
__________________
My best friends are parrots Last edited by PapaParrot; 28th April 2020 at 03:14 AM. |
|
|||
Show us PF ruleset and domain->IP translation using tool such as host(1) or dig(1).
Quote:
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
|||
Code:
int_if="{ em1 vlan100 vlan127 vlan20 vlan40 vlan50 tap0 tun0 bridge20 carp1 carp2 carp3 carp4 carp5 }" carp_phy="{ em0 em1 }" carp_if="{ carp1 carp2 carp3 carp4 carp5 }" openvpn = "{1194 1195}" # LAN lan_if="vlan20" lan_carp="carp3" # VoIP voip_if="vlan100" voip_carp="carp1" # Admin admin_if="vlan127" admin_carp="carp2" table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24 } set block-policy drop set loginterface egress set syncookies always set skip on lo pass quick on { trunk0 } proto pfsync keep state (no-sync) pass on $carp_phy proto carp keep state (no-sync) match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) block in quick on egress from <martians> to any block return out quick on egress from any to <martians> block quick inet6 block log pass in quick on egress inet proto udp to (egress) port $openvpn pass out inet proto { tcp, udp, icmp } from any to any modulate state (if-bound) pass in on $int_if inet # Port build user does not need network access block return out log proto {tcp udp} user _pbuild # By default, do not permit remote connections to X11 Thanks for the feedback. |
|
||||
Quote:
There may be a extension or plugin that is causing the problem, also what about your modem, or router, ? Have you checked them ?
__________________
My best friends are parrots |
|
|||
On windows 10 I tried
Chrome (normal and incognito) Firefox (normal and private) Edge Internet Explorer mac Chrome Safari Debian 10 VM (virtualbox) Firefox OpenBSD (on the router) nc -cv -T protocols=all -T ciphers=compat facebook.com 443 Code:
Connection to facebook.com 443 port [tcp/https] succeeded! TLS handshake negotiated TLSv1.2/ECDHE-ECDSA-AES128-GCM-SHA256 with host facebook.com Peer name: facebook.com Subject: /C=US/ST=California/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA Valid From: Tue Apr 14 17:00:00 2020 Valid Until: Tue Jul 14 05:00:00 2020 Cert Hash: SHA256:742ec52e821a519f70cb566494e3a41b6351026bcf5055d0cc301fb755c20791 OCSP URL: http://ocsp.digicert.com OpenBSD (in a VM) nc -cv -T protocols=all -T ciphers=compat facebook.com 443 Code:
Connection to facebook.com 443 port [tcp/https] succeeded! |
|
|||
I've run tcpdump and can see stuff related to the connection but I don't really know how to trace it through and find where it's breaking.
I'm seeing the same thing with yahoo.com and some of aws. |
|
||||
I recommend Networking for Systems Administrators by Michael W. Lucas.
|
|
||||
Quote:
Code:
192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 So any way, (I am very short on time at the moment, so forgive me if it is not very clear), any way, my thought is if you try using a rule set with out any of the "martians", or just a defualt pf.conf,.....DO NOT delete or loose your orginal rule set, make a copy or just temporarily move "mv", it, you know so you can move it back later if need be. I am thinking it might be your "martians", in the rule set, I could be wrong though,...more often then not I am . But if you save your original set and conf, it can't hurt to try... ==================EDITED===== A simpler way to check: Code:
# pfctl -d pf disabled # Code:
pfctl -e Quote:
ref: 'man pf.cpnf' 'man pfctl', also https://www.openbsd.org/faq/pf/config.html ,
__________________
My best friends are parrots Last edited by PapaParrot; 30th April 2020 at 03:31 AM. |
|
|||
Quote:
I noticed rule "block quick inet6". Are you sure Chrome isn't trying connect via IPv6?
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
||||
I can agree, because I tried it with out the "martians", and still no connect...it was late and I did not try anything else, and I am not at all any kind of PF expert,
__________________
My best friends are parrots |
|
|||
Thank you for all of the suggestions.
Yahoo magically reappeared but facebook is still non-responsive through NAT. This is on the WAN interface when I click refresh on the browser. Code:
tcpdump -ttt -i em0 -vv | grep facebook tcpdump: listening on em0, link-type EN10MB Apr 30 16:07:49.926122 static-173-12-34-56.lsanca.fios.frontiernet.net.62750 > dns.google.domain: [udp sum ok] 46069+ A? www.facebook.com.(34) (ttl 127, id 3407, len 62) Apr 30 16:07:49.932926 dns.google.domain > static-173-12-34-56.lsanca.fios.frontiernet.net.62750: 46069 q: A? www.facebook.com. 2/0/0 www.facebook.com. CNAME star-mini.c10r.facebook.com., star-mini.c10r.facebook.com.(79) (ttl 122, id 47070, len 107) Apr 30 16:07:49.933991 static-173-12-34-56.lsanca.fios.frontiernet.net.62990 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 1077061926:1077061926(0) win 0 (DF) [tos 0x10] (ttl 64, id 61979, len 40) Apr 30 16:07:49.935138 static-173-12-34-56.lsanca.fios.frontiernet.net.65459 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 4040108268:4040108268(0) win 0 (DF) [tos 0x10] (ttl 64, id 61773, len 40) Apr 30 16:07:50.235273 static-173-12-34-56.lsanca.fios.frontiernet.net.65459 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 4040108268:4040108268(0) win 0 (DF) [tos 0x10] (ttl 64, id 44008, len 40) Apr 30 16:07:50.235274 static-173-12-34-56.lsanca.fios.frontiernet.net.62990 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 1077061926:1077061926(0) win 0 (DF) [tos 0x10] (ttl 64, id 60341, len 40) Apr 30 16:07:50.535792 static-173-12-34-56.lsanca.fios.frontiernet.net.65459 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 4040108268:4040108268(0) win 0 (DF) [tos 0x10] (ttl 64, id 46466, len 40) Apr 30 16:07:50.535793 static-173-12-34-56.lsanca.fios.frontiernet.net.62990 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 1077061926:1077061926(0) win 0 (DF) [tos 0x10] (ttl 64, id 11374, len 40) Apr 30 16:07:51.137263 static-173-12-34-56.lsanca.fios.frontiernet.net.65459 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 4040108268:4040108268(0) win 0 (DF) [tos 0x10] (ttl 64, id 17409, len 40) Apr 30 16:07:51.137264 static-173-12-34-56.lsanca.fios.frontiernet.net.62990 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 1077061926:1077061926(0) win 0 (DF) [tos 0x10] (ttl 64, id 30950, len 40) Apr 30 16:07:52.337623 static-173-12-34-56.lsanca.fios.frontiernet.net.65459 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 4040108268:4040108268(0) win 0 (DF) [tos 0x10] (ttl 64, id 31478, len 40) Apr 30 16:07:52.337624 static-173-12-34-56.lsanca.fios.frontiernet.net.62990 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 1077061926:1077061926(0) win 0 (DF) [tos 0x10] (ttl 64, id 51167, len 40) Apr 30 16:07:54.737779 static-173-12-34-56.lsanca.fios.frontiernet.net.65459 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 4040108268:4040108268(0) win 0 (DF) [tos 0x10] (ttl 64, id 5149, len 40) Apr 30 16:07:54.737781 static-173-12-34-56.lsanca.fios.frontiernet.net.62990 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 1077061926:1077061926(0) win 0 (DF) [tos 0x10] (ttl 64, id 34592, len 40) Apr 30 16:07:59.539018 static-173-12-34-56.lsanca.fios.frontiernet.net.65459 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 4040108268:4040108268(0) win 0 (DF) [tos 0x10] (ttl 64, id 59291, len 40) Apr 30 16:07:59.539020 static-173-12-34-56.lsanca.fios.frontiernet.net.62990 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 1077061926:1077061926(0) win 0 (DF) [tos 0x10] (ttl 64, id 56934, len 40) Code:
nc -cv -T protocols=all -T ciphers=compat facebook.com 443 Code:
tcpdump -ttt -i em0 -vv | grep facebook tcpdump: listening on em0, link-type EN10MB Apr 30 16:12:07.209632 static-173-12-34-56.lsanca.fios.frontiernet.net.42053 > edge-star-mini-shv-01-lax3.facebook.com.https: S [tcp sum ok] 1229318974:1229318974(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 1057182876 0> (DF) (ttl 64, id 56233, len 64) Apr 30 16:12:07.213252 edge-star-mini-shv-01-lax3.facebook.com.https > static-173-12-34-56.lsanca.fios.frontiernet.net.42053: S [tcp sum ok] 2499282601:2499282601(0) ack 1229318975 win 27760 <mss 1400,sackOK,timestamp 3859214110 1057182876,nop,wscale 8> (DF) (ttl 89, id 0, len 60) Apr 30 16:12:07.213362 static-173-12-34-56.lsanca.fios.frontiernet.net.42053 > edge-star-mini-shv-01-lax3.facebook.com.https: . [tcp sum ok] 1:1(0) ack 1 win 256 <nop,nop,timestamp 1057182876 3859214110> (DF) (ttl 64, id 36022, len 52) Apr 30 16:12:07.237321 static-173-12-34-56.lsanca.fios.frontiernet.net.42053 > edge-star-mini-shv-01-lax3.facebook.com.https: P 1:203(202) ack 1 win 256 <nop,nop,timestamp 1057182876 3859214110> (DF) (ttl 64, id 22979, len 254) Apr 30 16:12:07.243530 edge-star-mini-shv-01-lax3.facebook.com.https > static-173-12-34-56.lsanca.fios.frontiernet.net.42053: . [tcp sum ok] 1:1(0) ack 203 win 113 <nop,nop,timestamp 3859214140 1057182876> (DF) (ttl 89, id 33718, len 52) Apr 30 16:12:07.264769 edge-star-mini-shv-01-lax3.facebook.com.https > static-173-12-34-56.lsanca.fios.frontiernet.net.42053: . 1:1389(1388) ack 203 win 113 <nop,nop,timestamp 3859214161 1057182876> (DF) (ttl 89, id 33719, len 1440) Apr 30 16:12:07.264771 edge-star-mini-shv-01-lax3.facebook.com.https > static-173-12-34-56.lsanca.fios.frontiernet.net.42053: . 1389:2777(1388) ack 203 win 113 <nop,nop,timestamp 3859214161 1057182876> (DF) (ttl 89, id 33720, len 1440) Apr 30 16:12:07.264772 edge-star-mini-shv-01-lax3.facebook.com.https > static-173-12-34-56.lsanca.fios.frontiernet.net.42053: P 2777:3078(301) ack 203 win 113 <nop,nop,timestamp 3859214161 1057182876> (DF) (ttl 89, id 33721, len 353) Apr 30 16:12:07.264886 static-173-12-34-56.lsanca.fios.frontiernet.net.42053 > edge-star-mini-shv-01-lax3.facebook.com.https: . [tcp sum ok] 203:203(0) ack 2777 win 212 <nop,nop,timestamp 1057182876 3859214161> (DF) (ttl 64, id 29345, len 52) Apr 30 16:12:07.265323 static-173-12-34-56.lsanca.fios.frontiernet.net.42053 > edge-star-mini-shv-01-lax3.facebook.com.https: . [tcp sum ok] 203:203(0) ack 3078 win 253 <nop,nop,timestamp 1057182876 3859214161> (DF) (ttl 64, id 24269, len 52) Apr 30 16:12:07.274512 static-173-12-34-56.lsanca.fios.frontiernet.net.42053 > edge-star-mini-shv-01-lax3.facebook.com.https: P 203:329(126) ack 3078 win 256 <nop,nop,timestamp 1057182876 3859214161> (DF) (ttl 64, id 8828, len 178) Apr 30 16:12:07.280848 edge-star-mini-shv-01-lax3.facebook.com.https > static-173-12-34-56.lsanca.fios.frontiernet.net.42053: P 3078:3129(51) ack 329 win 113 <nop,nop,timestamp 3859214177 1057182876> (DF) (ttl 89, id 33722, len 103) Apr 30 16:12:07.336364 edge-star-mini-shv-01-lax3.facebook.com.https > static-173-12-34-56.lsanca.fios.frontiernet.net.42053: P 3078:3129(51) ack 329 win 113 <nop,nop,timestamp 3859214233 1057182876> (DF) (ttl 89, id 33723, len 103) Apr 30 16:12:07.336419 static-173-12-34-56.lsanca.fios.frontiernet.net.42053 > edge-star-mini-shv-01-lax3.facebook.com.https: . [tcp sum ok] 329:329(0) ack 3129 win 256 <nop,nop,timestamp 1057182876 3859214177> (DF) (ttl 64, id 9682, len 52) Apr 30 16:12:22.345935 static-173-12-34-56.lsanca.fios.frontiernet.net.42053 > edge-star-mini-shv-01-lax3.facebook.com.https: F [tcp sum ok] 329:329(0) ack 3129 win 256 <nop,nop,timestamp 1057182906 3859214177> (DF) (ttl 64, id 52174, len 52) Apr 30 16:12:22.350768 edge-star-mini-shv-01-lax3.facebook.com.https > static-173-12-34-56.lsanca.fios.frontiernet.net.42053: P [tcp sum ok] 3129:3160(31) ack 330 win 113 <nop,nop,timestamp 3859229247 1057182906> (DF) (ttl 89, id 33724, len 83) Apr 30 16:12:22.350770 edge-star-mini-shv-01-lax3.facebook.com.https > static-173-12-34-56.lsanca.fios.frontiernet.net.42053: F [tcp sum ok] 3160:3160(0) ack 330 win 113 <nop,nop,timestamp 3859229247 1057182906> (DF) (ttl 89, id 33725, len 52) Apr 30 16:12:22.350894 static-173-12-34-56.lsanca.fios.frontiernet.net.42053 > edge-star-mini-shv-01-lax3.facebook.com.https: R [tcp sum ok] 1229319304:1229319304(0) win 0 (DF) (ttl 64, id 60065, len 40) Apr 30 16:12:22.350895 static-173-12-34-56.lsanca.fios.frontiernet.net.42053 > edge-star-mini-shv-01-lax3.facebook.com.https: R [tcp sum ok] 1229319304:1229319304(0) win 0 (DF) (ttl 64, id 41182, len 40) |
|
||||
|
|
|||
Quote:
I'll checkout the additional logging - thanks. |
|
|||
Thank you everyone for the help. I got it figured out (or at least a solution).
I put another router together with a PC engines box and setup the switch for untagged vlans and bang, it works. The only explanation that make sense is that there was something going on with the switch and the packet tagging that made facebook reset the connection. |
|
|||
Quote:
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
What Facebook Knows About You | e1-531g | News | 6 | 3rd January 2017 12:10 AM |
Network issue | philo_neo71 | NetBSD General | 2 | 13th November 2015 10:16 PM |
Facebook's PHP compiler | J65nko | News | 9 | 5th February 2010 02:09 PM |
Network configuration issue (gateway(s)) | amorphousone | OpenBSD General | 3 | 25th November 2009 04:53 AM |
Nvidia nForce MCP77 network adapter issue | padmanabh | FreeBSD Installation and Upgrading | 5 | 17th January 2009 12:18 PM |