Firewall blocking registration of single phone and fop2 on 'whitelisted' IP


#21

I suggest for many reasons that you only use https , rewrite 301 all http requests and add the non selef-certified certs to /usr/local/fop2/fop2.cfg and of course only URI’s will work then (no IP only).

IWFM


#22

Will do, any ideas about the fop?


#23

fop or fop2?
what was the question?

everything works fine for me though, it behaves exacly as expected and /var/log/(your webserver/{http,https}{error,access} logs will you clue as will tcpdump port 4445 and then tcpdump port 4445 and host HER-IP , for more detail.

fop2 WILL spin it’s wheels on login if the protocol is mismatched


#24

I just checked httpd logs, no errors. There is a log when she was added to the trusted zone, that’s it.

FOP2

It does not work for this ONE user, everyone else it works fine for. It is VERY bizarre.

There was NO traffic for her over 4445 (I am assuming because she was blocked) I turned off the firewall and now there is traffic for her.

The thing is, it will work like this for a while then in a few days I will have to take the firewall down again. I’ve looked EVERYWHERE for what is blocking 4445 for JUST her IP, can’t seem to find anything.


#25

If there is ‘no’ traffic on tcp/4445 from her, then there is a “device” between your server and her phone doing that as tcpdump sees kernel level traffic, i.e. before any iptable rules kick in to ‘block’ her.

Such “devices” will include

her phone
her machine
her router
her ISP
the internet
your isp
your router

most of these "devices’ can

forward
block
rewrite

the relevant traffic,

pretty well everything needs to be “forwarded” and that forward should be “symetric”


#26

ok, I will check it again and those things and get back to you. Thanks!


#27

Ok, I must have mistyped the IP yesterday, I did it again and here is what tcpdump port 4445 | grep 555.555.555.555 showed:

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:34:59.331284 IP www.domain.com.upnotifyp > 555.555.555.555.41416: Flags [P.], seq 2639576036:2639576114, ack 3290216680, win 238, length 78
12:34:59.475577 IP 555.555.555.555.41416 > www.domain.com.upnotifyp: Flags [.], ack 78, win 1022, length 0
12:34:59.475603 IP www.domain.com.upnotifyp > 555.555.555.555.41416: Flags [P.], seq 78:471, ack 1, win 238, length 393
12:34:59.614244 IP 555.555.555.555.41416 > www.domain.com.upnotifyp: Flags [.], ack 471, win 1021, length 0
12:35:09.942165 IP www.domain.com.upnotifyp > 555.555.555.555.41416: Flags [P.], seq 471:544, ack 1, win 238, length 73
12:35:10.080353 IP 555.555.555.555.41416 > www.domain.com.upnotifyp: Flags [.], ack 544, win 1020, length 0
12:35:10.080377 IP www.domain.com.upnotifyp > 555.555.555.555.41416: Flags [P.], seq 544:846, ack 1, win 238, length 302
12:35:10.230632 IP 555.555.555.555.41416 > www.domain.com.upnotifyp: Flags [.], ack 846, win 1026, length 0
12:35:12.682388 IP www.domain.com.upnotifyp > 555.555.555.555.41416: Flags [P.], seq 846:921, ack 1, win 238, length 75
12:35:12.815299 IP 555.555.555.555.41416 > www.domain.com.upnotifyp: Flags [.], ack 921, win 1025, length 0
12:35:12.815326 IP www.domain.com.upnotifyp > 555.555.555.555.41416: Flags [P.], seq 921:1615, ack 1, win 238, length 694
12:35:12.955656 IP 555.555.555.555.41416 > www.domain.com.upnotifyp: Flags [.], ack 1615, win 1023, length 0
12:35:19.552482 IP www.domain.com.upnotifyp > 555.555.555.555.41416: Flags [P.], seq 1615:1693, ack 1, win 238, length 78
12:35:19.705770 IP 555.555.555.555.41416 > www.domain.com.upnotifyp: Flags [.], ack 1693, win 1022, length 0
12:35:19.705813 IP www.domain.com.upnotifyp > 555.555.555.555.41416: Flags [P.], seq 1693:2083, ack 1, win 238, length 390
12:35:19.850124 IP 555.555.555.555.41416 > www.domain.com.upnotifyp: Flags [.], ack 2083, win 1021, length 0
^C782 packets captured

She is not able to sign into the fop again, it just fails saying it cannot communicate over port 4445. Her phone is working fine. If I disable the firewall she will be able to log into the fop instantly. iptables only shows her ip in the zone-trusted, her ip is also not listed in any of the fail2ban jails.


#28

seeing as the traffic is two way, i guess the firewall is mangling it, but I don’t use it, so will have to leave this to others who do.

good luck


(system) closed #29

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.