Phantom Drops FW

Hi,

When I am behind my firewall, I am trying to use a speedtest and the download speed test completes just fine (but actually not on https://speedtest.net, it won’t even get past “Finding optimal server”).

However when it tries to do an upload test it says it can’t connect. I’ve tried opening up the firewall to allow all outgoing by default, enabled acces by IP in URLfilter.

I’m checking /var/log/messages but I am not seeing any DROP events that would be related to the speedtest at all.

proxy log and url filter log is not showing me anything that would suggest blocking by them.

I am at a loss as to what is dropping the connection???

EDIT If I reboot the firewall, there is a period of time when the system starts, I’m guessing before the iptables rules kick in? Where it works, it does both down and up speed test and has a better latency as well so I guess not being checked against the FW or something at that point.

Banging my head any which way till Wednesday with this one, any boffins around that can at least point me to some logs that I might have missed or something? I cannot for the life of me see what’s blocking the connections

Hi,

If I reboot the firewall, there is a period of time when the system starts, I’m guessing before the iptables rules kick in?

that sounds more like the IPS, which needs some time to load the rules configured.

iptables rules are loaded before any interface is brought up, so there is no time span
where anything or anybody could bypass the packet filter.

Thanks, and best regards,
Peter Müller

Thanks Peter,

I turned IPS off as one of my first things to troubleshoot. The behaviour with it kicking in is occurring with the IPS off.

image2004×330 28.2 KB

The other thing I thought was maybe the QoS stuff was being problematic, so I disabled QoS as well however it remains exactly the same and it is so strange because I should think if the firewall is dropping connections I would see DROP or REJECT in my messages log.

Only now it just occurred to me to try it with squid off, and try connect directly and not through squid. Will let you know how I go.

Ah interesting, it is working when I bypass squid. So it is something squid is doing that is causing the issues. I guess squid starting up would explain it working before squid starts too (I am allowing traffic on 80/443 bypassing squid, probably the traffic is just going squidless till squid kicks on)

Hi all,
the access.log gives an TCP_DENIED HIER_NONE →

1621594404.227      2 10.234.2.80 TCP_DENIED/403 3756 CONNECT speedtest.stadtwerke-schorndorf.de:8080 - HIER_NONE/- text/html
1621594405.463      1 10.234.2.80 TCP_DENIED/403 3819 CONNECT speedtest.gigaspeedsurfer.de.prod.hosts.ooklaserver.net:8080 - HIER_NONE/- text/html
1621594405.691      1 10.234.2.80 TCP_DENIED/403 3801 CONNECT speedtest.telemaxx.net.prod.hosts.ooklaserver.net:8080 - HIER_NONE/- text/html
1621594405.788      1 10.234.2.80 TCP_DENIED/403 3756 CONNECT speedtest.stadtwerke-schorndorf.de:8080 - HIER_NONE/- text/html
1621594406.654      1 10.234.2.80 TCP_DENIED/403 3717 CONNECT speedtest.pfalzkom.de:8080 - HIER_NONE/- text/html
1621594407.127      1 10.234.2.80 TCP_DENIED/403 3828 CONNECT strasbourg3.speedtest.orange.fr.prod.hosts.ooklaserver.net:8080 - HIER_NONE/- text/html
1621594407.700      1 10.234.2.80 TCP_DENIED/403 3714 CONNECT speedtest.twl-kom.de:8080 - HIER_NONE/- text/html
1621594409.758      1 10.234.2.80 TCP_DENIED/403 3819 CONNECT speedtest.gigaspeedsurfer.de.prod.hosts.ooklaserver.net:8080 - HIER_NONE/- text/html
1621594410.271      1 10.234.2.80 TCP_DENIED/403 3801 CONNECT speedtest.telemaxx.net.prod.hosts.ooklaserver.net:8080 - HIER_NONE/- text/html
1621594411.308      1 10.234.2.80 TCP_DENIED/403 3714 CONNECT speedtest.twl-kom.de:8080 - HIER_NONE/- text/html
1621594411.793      1 10.234.2.80 TCP_DENIED/403 3828 CONNECT strasbourg3.speedtest.orange.fr.prod.hosts.ooklaserver.net:8080 - HIER_NONE/- text/html
1621594411.805      1 10.234.2.80 TCP_DENIED/403 3717 CONNECT speedtest.pfalzkom.de:8080 - HIER_NONE/- text/html

speedtest want´s to use 8080 TCP. By looking into the " Destination ports" section in Squid WUI, 8080 is not allowed. By allowing it for the SSL ports it works at least for me →

1621594953.036  15242 10.234.2.80 TCP_TUNNEL/200 11185214 CONNECT testdebit.laregie.fr.prod.hosts.ooklaserver.net:8080 - HIER_DIRECT/185.127.240.4 -
1621594953.037  15238 10.234.2.80 TCP_TUNNEL/200 31488674 CONNECT speedtest.telemaxx.net.prod.hosts.ooklaserver.net:8080 - HIER_DIRECT/85.115.3.102 -
1621594953.038  15239 10.234.2.80 TCP_TUNNEL/200 7012999 CONNECT testdebit.vialis.net.prod.hosts.ooklaserver.net:8080 - HIER_DIRECT/213.166.201.220 -
1621594953.040  15239 10.234.2.80 TCP_TUNNEL_ABORTED/200 25707432 CONNECT speedtest.pfalzkom.de:8080 - HIER_DIRECT/213.183.69.197 -
1621594953.041  14762 10.234.2.80 TCP_TUNNEL/200 3360670 CONNECT testdebit.laregie.fr.prod.hosts.ooklaserver.net:8080 - HIER_DIRECT/185.127.240.4 -
1621594953.042  14761 10.234.2.80 TCP_TUNNEL/200 10016747 CONNECT speedtest.telemaxx.net.prod.hosts.ooklaserver.net:8080 - HIER_DIRECT/85.115.3.102 -
1621594953.043  14254 10.234.2.80 TCP_TUNNEL/200 2038284 CONNECT testdebit.laregie.fr.prod.hosts.ooklaserver.net:8080 - HIER_DIRECT/185.127.240.4 -
1621594953.045  14252 10.234.2.80 TCP_TUNNEL/200 3133142 CONNECT testdebit.vialis.net.prod.hosts.ooklaserver.net:8080 - HIER_DIRECT/213.166.201.220 -
1621594953.045  14252 10.234.2.80 TCP_TUNNEL_ABORTED/200 5032502 CONNECT speedtest.pfalzkom.de:8080 - HIER_DIRECT/213.183.69.197 -
1621594953.047   7764 10.234.2.80 TCP_TUNNEL_ABORTED/200 7616044 CONNECT speedtest.telemaxx.net.prod.hosts.ooklaserver.net:8080 - HIER_DIRECT/85.115.3.102 -
1621594973.133  17377 10.234.2.80 TCP_TUNNEL/200 1225 CONNECT testdebit.laregie.fr.prod.hosts.ooklaserver.net:8080 - HIER_DIRECT/185.127.240.4 -
1621594974.374  18618 10.234.2.80 TCP_TUNNEL/200 4331 CONNECT testdebit.laregie.fr.prod.hosts.ooklaserver.net:8080 - HIER_DIRECT/185.127.240.4 -
1621594974.512  18756 10.234.2.80 TCP_TUNNEL/200 4331 CONNECT testdebit.laregie.fr.prod.hosts.ooklaserver.net:8080 - HIER_DIRECT/185.127.240.4 -
1621594974.860  19105 10.234.2.80 TCP_TUNNEL/200 1225 CONNECT testdebit.laregie.fr.prod.hosts.ooklaserver.net:8080 - HIER_DIRECT/

May this helps.

Best,

Erik

Thank you Erik!!!

That was 100% it, and I am now wiser as I know to check /var/log/squid/access.log in the future, as I had missed it and I couldn’t see anything anywhere else, was going mad!!!

I am going to test v157 now that everything is sweet on v156

Just a reminder / my opinion

You should also consider what is a common use case for this port (8080 Proxy) And if you really want to do this just to use this site.

I don’t think I have come across 8080 used for anything other then alternate http until now?

The above is to be understood as preventing anything that is not absolutely necessary! And if it neccessary only for 1 speedtest depends completely on you So if I don’t want any software, strange devices, whatever, to have the possibility to send something through the already mentioned proxy port, then I refrain from allowing it.

As i said just my opinion

Ah I see what you mean, you’re talking about keeping that port closed coz not really necessary, yea, you’re most likely right, haven’t even encountered it until now.