PF Does FreeBSD distinct http and ws protocols?

[MOCKBA]

Why this question came? Because if I setup a web server with supporting websocket on any port than 80, websocket connection works fine. However if I set the server on port 80, websocket connection gets dropped, but http works fine. Any ideas why?

/192.168.50.121:80 - - [04/Jul/2023:19:10:51 -0700] "GET /webfolder/terminal/var%2Flog%2Ftjws HTTP/1.1" 101 0 - -
/192.168.50.121:80 - - [04/Jul/2023:19:10:53 -0700] "GET /webfolder/terminal/var%2Flog%2Ftjws HTTP/1.1" 101 0 - -
/192.168.50.121:80 - - [04/Jul/2023:19:10:54 -0700] "GET /webfolder/terminal/var%2Flog%2Ftjws HTTP/1.1" 101 0 - -
/192.168.50.121:80 - - [04/Jul/2023:19:10:56 -0700] "GET /webfolder/terminal/var%2Flog%2Ftjws HTTP/1.1" 101 0 - -
/192.168.50.121:80 - - [04/Jul/2023:19:10:58 -0700] "GET /webfolder/terminal/var%2Flog%2Ftjws HTTP/1.1" 101 0 - -
/192.168.50.121:80 - - [04/Jul/2023:19:10:59 -0700] "GET /webfolder/terminal/var%2Flog%2Ftjws HTTP/1.1" 101 0 - -
/192.168.50.121:80 - - [04/Jul/2023:19:11:01 -0700] "GET /webfolder/terminal/var%2Flog%2Ftjws HTTP/1.1" 101 0 - -

But if the port is 8000, the first request to switch protocol comes through and websocket works fine.

 

[MOCKBA]

Just to clarify other port using:

/192.168.50.118:8000 - - [04/Jul/2023:20:07:40 -0700] "GET /webfolder/terminal/var%2Flog%2Ftjws HTTP/1.1" 101 0 - -
/192.168.50.118:8000 - - [04/Jul/2023:20:08:13 -0700] "GET /webfolder/webapp/Folder%2Fvar%2Flog%2Ftjws HTTP/1.1" 200 21,751 - -

You can see that there is no reattempts to establish ws connection, and other web server requests coming through.

 

[SirDice]

What does this have to do with PF? PF is a packet filter, it doesn't care about protocols.

 

[MOCKBA]

I do not see any other FreeBSD component which could drop a connection then.

 

[richardtoohey2]

No-one but you knows what is running on your FreeBSD machine(s). Any proxies, firewalls, load-balancers? Presumably a web server - which one?

Traffic from a networked machine or is localhost only?

 

[MOCKBA]

Http/websocket server - https://github.com/drogatkin/TJWS2/tree/master.
Traffic from local network (no internet yet because the problem).
It's stock FreeBSD, nothing is installed or runs in an addition. It runs on Raspberry Pi.
There is no problem on port 8000. I observed the problem on port 80 so far.

 

[MOCKBA]

One addition could make sense: the problem appears on port 80 when the server runs as a service, manually or at the boot time. Again, it works fine for http requests, only websocket gets blocked.

 

[MOCKBA]

After some investigation I could conclude the the problem resides in the router firewall. If something will change, then I will update you.

 

[MOCKBA]

I've resolved the problem, you can close and delete the thread.

 

[Crivens]

I've resolved the problem, you can close and delete the thread.

You may mark it as solved.
Closing a thread is unproductive, as it does not allow you or others to add to it in the comming month/years should things change.
Deleting it will make users with the problem not find it, thus force them to repeat all this. That would not be a nice move. So that are two things that are not going to happen.

 

[tingo]

After some investigation I could conclude the the problem resides in the router firewall. If something will change, then I will update you.

This is common, and users might not be aware of it at first: any router / firewall with a web interface open is going to "hijack" (for lack of a better word) any connections on port 80. If it has a web interface open on https it is also going to "hijack" port 443. Now you know.
(Be aware that having an open web interface on the WAN side of your router / firewall increases the possible attack surface. Turn it off if you don't need it.)

 

[SirDice]

(Be aware that having an open web interface on the WAN side of your router / firewall increases the possible attack surface. Turn it off if you don't need it.)

Yeah, you'd be surprised how many SOHO modem/routers have this enabled by default

 

[astyle]

This is common, and users might not be aware of it at first: any router / firewall with a web interface open is going to "hijack" (for lack of a better word) any connections on port 80. If it has a web interface open on https it is also going to "hijack" port 443. Now you know.
(Be aware that having an open web interface on the WAN side of your router / firewall increases the possible attack surface. Turn it off if you don't need it.)

Now that doesn't make sense... any connection request would specify an IP address like 192.168.1.x... SOHO modem/routers usually have 192.168.1.1 as an IP address, and OP has 192.168.50.121 as the server's IP... so 'stealing a connection' meant for a different IP address is not very plausible...

 

[tingo]

You think that the web request comes from the inside. Well, normally, it comes from the internet, and there it the router / firewall sits like a man in the middle and intercepts all traffic...

 

[astyle]

You think that the web request comes from the inside. Well, normally, it comes from the internet, and there it the router / firewall sits like a man in the middle and intercepts all traffic...

That would happen with a misconfigured NAT... ?‍

 

[Sevendogsbsd]

Yeah, you'd be surprised how many SOHO modem/routers have this enabled by default

Agree: basic hardening configurations that most people don’t even think about.