I'm having a problem with a curl access in PHP being blocked by my pf firewall. While there are also some curl settings problems, that'd for another post another day. for now, in curl I've turned off the
I made a test program that just does the curl access to the U.S Department of Interior server to get the elevation for a passed latitude and longitude. I had to block IPv6 because that site now tries to connect to an IPv6 server 1st, then the V4 if those fail. Regrettably, the two ISPs in my area (Specturm and Brigthspeed) only provide IPv4. No IPv6. It's the dark ages in my neck of the woods.
When I run my test program with the PF on, I see:
It never connects, hangs, then times out. If I turn off the packet filter
Of course there was this little error, which is why SSL stuff is turned off for debugging:
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
But the request went through and I got an elevation. It looks like it directed to a Amazon cloud site at 172.67.74.2 I can ping that address.
In my pf.conf I have this line:
and near the bottom I have:
Note also that 172.67.74.2 if not in the pf.conf
The router connected to the modem for the ISP has all the ephemeral TCP ports as pass through to the server. I can ping the 3.167.112.15 address which never seems to connect if the PF is on. I'm wondering if a connect to that sites moves the TCP connection to some other IP address that the PF doesn't like. I've looked at
Any suggestions on what to look at next would be appreciated. Below I also port the curl part, that's a problem for another day, but it may also be a clue. So it's there just in case. The URL that curl is running is:
https://epqs.nationalmap.gov/v1/json?x=-79.1186&y=36.0581&units=Meters
It always works from a chrome browser on windoze and Mac.
Freebsd 14.1 curl 8.15.0
- pete
The php curl code:
SSL_VERIFYPEE and SSL_VERIFYHOST to help narrow down the problems.I made a test program that just does the curl access to the U.S Department of Interior server to get the elevation for a passed latitude and longitude. I had to block IPv6 because that site now tries to connect to an IPv6 server 1st, then the V4 if those fail. Regrettably, the two ISPs in my area (Specturm and Brigthspeed) only provide IPv4. No IPv6. It's the dark ages in my neck of the woods.
When I run my test program with the PF on, I see:
Code:
# php testUsgs.php
Going to net for lat=36.0576, long=-79.119
* Host epqs.nationalmap.gov:443 was resolved.
* IPv6: (none)
* IPv4: 3.167.112.15, 3.167.112.8, 3.167.112.103, 3.167.112.59
* Trying 3.167.112.15:443...It never connects, hangs, then times out. If I turn off the packet filter
service pf stop, I can connect and see this:
Code:
# php testUsgs.php
Going to net for lat=36.0576, long=-79.119
* Host epqs.nationalmap.gov:443 was resolved.
* IPv6: (none)
* IPv4: 3.167.112.59, 3.167.112.103, 3.167.112.15, 3.167.112.8
* Trying 3.167.112.59:443...
* ALPN: curl offers h2,http/1.1
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: C=US; ST=Virginia; L=Reston; O=U.S. Geological Survey; CN=*.nationalmap.gov
* start date: Jun 21 00:00:00 2025 GMT
* expire date: Jul 16 23:59:59 2026 GMT
* issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to epqs.nationalmap.gov (3.167.112.59) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://epqs.nationalmap.gov/v1/json?x=-79.119&y=36.0576&units=Meters/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: epqs.nationalmap.gov]
* [HTTP/2] [1] [:path: /v1/json?x=-79.119&y=36.0576&units=Meters/]
* [HTTP/2] [1] [user-agent: curl/8.14.1 (FreeBSD 14.1)]
* [HTTP/2] [1] [accept: application/json]
* [HTTP/2] [1] [accept-language: en-US,en;q=0.9]
* [HTTP/2] [1] [cache-control: max-age=0]
* [HTTP/2] [1] [upgrade-insecure-requests: 1]
> GET /v1/json?x=-79.119&y=36.0576&units=Meters/ HTTP/2
Host: epqs.nationalmap.gov
User-Agent: curl/8.14.1 (FreeBSD 14.1)
Accept: application/json
Accept-Language: en-US,en;q=0.9
cache-control: max-age=0
upgrade-insecure-requests: 1
* Request completely sent off
< HTTP/2 200
< content-type: application/json
< content-length: 181
< date: Sat, 06 Sep 2025 01:15:07 GMT
< x-amzn-trace-id: Root=1-68bb8b11-1d642e544520101f497e9fa5;Parent=0c24129099fd1bb6;Sampled=0;Lineage=1:47f15767:0
< x-amzn-requestid: 065156c8-7361-4b29-b3f8-6e714adb4e82
< access-control-allow-origin: *
< x-amz-apigw-id: QdKqvFRAPHcEF-g=
< x-cache: Miss from cloudfront
< via: 1.1 ddba66e53ff633c34296b8e866a481e2.cloudfront.net (CloudFront) <-- at 172.67.74.2
< x-amz-cf-pop: IAD55-P8
< x-amz-cf-id: F3H3HKCpJJJrPvnW3BuxRbW2a1BKH96yUGFGxucZD0_iNeJ8X5UMEg==
<
* shutting down connection #0
Good Reply! Dry run, elevation is 216, connect time=10.316 secondsOf course there was this little error, which is why SSL stuff is turned off for debugging:
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
But the request went through and I got an elevation. It looks like it directed to a Amazon cloud site at 172.67.74.2 I can ping that address.
In my pf.conf I have this line:
Code:
table <deptofinterior> = "{137.227.0.0/16, 3.128.0.0/9, 3.167.112.0/24, 18.238.4.0/24 }"
Code:
pass in quick on $INET from <deptofinterior> to anyThe router connected to the modem for the ISP has all the ephemeral TCP ports as pass through to the server. I can ping the 3.167.112.15 address which never seems to connect if the PF is on. I'm wondering if a connect to that sites moves the TCP connection to some other IP address that the PF doesn't like. I've looked at
pftop but can't see anything unusual. I need some way to "catch the pf in the act"Any suggestions on what to look at next would be appreciated. Below I also port the curl part, that's a problem for another day, but it may also be a clue. So it's there just in case. The URL that curl is running is:
https://epqs.nationalmap.gov/v1/json?x=-79.1186&y=36.0581&units=Meters
It always works from a chrome browser on windoze and Mac.
Freebsd 14.1 curl 8.15.0
- pete
The php curl code:
PHP:
$url = "https://epqs.nationalmap.gov/v1/json?x=-79.1186&y=36.0581&units=Meters/";
$ch = curl_init();
///// Setting options with an array for simple/common/standard settings ////
$opt = array(CURLOPT_URL => $url,
CURLOPT_HTTPGET => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_IPRESOLVE => CURL_IPRESOLVE_V4, // force only IpV4 connections
CURLOPT_FORBID_REUSE => true, // don't keep the TCP link open
CURLOPT_TCP_KEEPALIVE => false,
CURLOPT_TIMEOUT => 30,
CURLOPT_CONNECTTIMEOUT => 6,
CURLOPT_MAXREDIRS => 10,
CURLOPT_CAPATH => "/usr/local/etc/apache24/ssl/",
CURLOPT_CAINFO => "/usr/local/etc/apache24/ssl/cacert.pem",
CURLOPT_USERAGENT => "curl/8.14.1 (FreeBSD 14.1)",
CURLOPT_SSL_VERIFYPEER => 0,
CURLOPT_SSL_VERIFYHOST => 0,
CURLOPT_VERBOSE => true
);
// now add custom headers that some sites may want to see //
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Accept: application/json',
'Accept-Language: en-US,en;q=0.9',
'cache-control: max-age=0',
'upgrade-insecure-requests: 1'
]);
curl_setopt_array($ch, $opt);