[7.460][QUESTION][OPEN] Connection refused on shared resources

[andyk007]

could you please tell us witch OS are you using in which SP state? Further we need the version of your browser and example URL to reproduce it

Greetings
Andreas

[wingman]

I am still facing the same issue. Vista client can connect to the vista box and the connection is not appearing on the http log

[Billybob]

Could you please break it down for us. What media server are you running and which client are you using to connect.
As you have noticed https proxy is not behaving as it should (I have a whole thread on it somewhere). I now have a packet filter rule that allows https access via packet filter since I don't like installing a million certificates at home for https proxy for ssl traffic.

Try connecting multiple times to the server and include a longer log for http and packet filter if anything is being dropped.
Thanks.

[wingman]

I have a client that is running xp home. The media center is on vista. When the user tries to connect to that box via \\172.16.1.2 (start>>run) I am getting the output on the http log(above posts). When another client with vista box does exactly the same, he is able to connect and no relevant logs exist on the log

I didn't have that issue on v7.404. I am pretty sure that it's related to the http proxy since I can see the relavant pf allowing the traffic
Not sure if it will help but as xp home client tries to connect I can see the relevant blocks on astaro

XP home and vista clients are zone 1 (192.168.x.x)
media box (vista) is on the DMZ (172.16.1.x)
traffic is allowed from zone 1 to DMZ

strangely enough , the connection was made and 2 minutes later I saw the relevant entry that it was blocked

Code:

2009:07:03-00:18:04 stuffman httpproxy[7574]: [0xb0b49c98] sc_categorize_url (scr_scanner.c:940) no categorization received for url: http://www.astaro.org/ajax.php?do=quickedit&p=115845 
2009:07:03-00:18:16 stuffman httpproxy[7574]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.2.31" user="wingman" statuscode="200" cached="0" profile="REF_TJkZFLrkmc (Zone 1 Proxy filter)" filteraction="REF_KvAnposSQm (Zone 1 Filter)" size="13961" time="3369 ms" request="0xb0be30b0" url="http://www.astaro.org/editpost.php?do=editpost&postid=115845" exceptions="" error="" category="165" reputation="neutral" categoryname="Technical/Business Forums" content-type="text/html" 
2009:07:03-00:18:20 stuffman httpproxy[7574]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.2.31" user="wingman" statuscode="500" cached="0" profile="REF_TJkZFLrkmc (Zone 1 Proxy filter)" filteraction="REF_KvAnposSQm (Zone 1 Filter)" size="2219" time="12447 ms" request="0xb0b49c98" url="http://www.astaro.org/ajax.php?do=quickedit&p=115845" exceptions="" error="" reputation="neutral" category="165" reputation="neutral" categoryname="Technical/Business Forums" content-type="text/xml" 
....
2009:07:03-00:20:18 stuffman httpproxy[7574]: [0xb0b49c98] send_request_headers (request.c:171) write: Connection refused 
2009:07:03-00:20:18 stuffman httpproxy[7574]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="OPTIONS" srcip="192.168.2.31" user="wingman" statuscode="502" cached="0" profile="REF_TJkZFLrkmc (Zone 1 Proxy filter)" filteraction="REF_KvAnposSQm (Zone 1 Filter)" size="2135" time="2 ms" request="0xb0b49c98" url="http://172.16.1.2/" exceptions="" error="" category="9998" reputation="neutral" categoryname="Uncategorized" 
2009:07:03-00:20:41 stuffman httpproxy[7574]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.

Let me know if you still require me to provide the logs from the pf and http
Thanks

[Billybob]

Quote:

\\172.16.1.2 (start>>run)

Isn't that covered under netbios? Where does http proxy get involved?

Edit: I get it, you are saying logs are being generated although you are connecting via netbios windows shares. Hence the whole title connection refused on shared resources This is only on xp machine?

[wingman]

Yes it is!That's why I am saying there is something wrong..the pf rules have the netbios ports and I can see the traffic logged and permitted. How is HTTP proxy involved?

[Billybob]

Ok I can confirm this. I have my exchange server running on DMZ called postmaster I have blocked all traffic to dmz by a reject rule (see screenshots). When I type start-->run-->\\postmaster, the http proxy catches that traffic and I get this in my http proxy logs

Quote:

2009:07:02-18:36:17 gatekeeper httpproxy[6917]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="OPTIONS" srcip="192.168.0.2" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2089" time="1 ms" request="0xb0d318f0" url="http://postmaster/" exceptions="" error="" category="9998" reputation="neutral" categoryname="Uncategorized"

I have attached a screenshot of my http proxy setup also. It doesn't matter if dmz is included or not included in the allowed networks. It speeds up the error generation a little if you add dmz to the allowed networks in http proxy. Something is very wrong with the built in netfilter rules. Will try to browse through them and see if I can find the culprit (although I do like keeping some hair on my head. I hate reading iptables rules)

[Billybob]

Ok found the problem. Probably the first place I should have looked. Since I tested with an all block rule, my IPS wasn't generating any errors but in your case IPS is blocking traffic which is causing xp to hang following requests to the share on dmz. Disable IPS to verify.

It still doesn't explain the traffic to port 80 but with all the service packs etc on xp, when you type \\servername it might be trying //servername after a while just to make sure you didn't make a mistake

Looking at the logs
sid="529" NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt
sid="466" ICMP L3retriever Ping

[andyk007]

Hi together,

just for clarification :-)

with vista all is working in the correct way and with xp sid="529" NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt and sid="466" ICMP L3retriever Ping have a false positive and are blocking this traffic?

Greetings
Andreas

[wingman]

Quote:

Originally Posted by Billybob

Ok found the problem. Probably the first place I should have looked. Since I tested with an all block rule, my IPS wasn't generating any errors but in your case IPS is blocking traffic which is causing xp to hang following requests to the share on dmz. Disable IPS to verify.

It still doesn't explain the traffic to port 80 but with all the service packs etc on xp, when you type \\servername it might be trying //servername after a while just to make sure you didn't make a mistake

Looking at the logs
sid="529" NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt
sid="466" ICMP L3retriever Ping

I will test today(disable IPS) and let you know. The media box is running vista with SP2.