Problem getting IPFW to allow HTTPS traffic

[Isosceles_CAT]

Hi, I'm having a bit of a problem with IPFW. It seems to be blocking https traffic despite the fact that I have allowed this traffic (as far as I can tell):

I have these rules in place:

$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00210 allow tcp from any to any 443 out via $pif setup keep-state

Apache is serving up pages over http(80) without a problem. However, anything over https(443) does not work (unless I do wget from localhost, which leads me to believe this is not an issue of apache configuration.

Additionally, when I attempt to connect via https, the following shows up in my firewall log:

Jul  9 13:12:33 colonel kernel: ipfw: 295 Deny TCP 216.220.40.196:443 216.220.43.124:19378 out via bge0

(216.220.40.196 is the IP of the webserver, and rule 295 is my deny log all)

FWIW, I am running FreeBSD version 9.0-Release.

Can anyone let me know what I am doing wrong? Or suggest any troubleshooting steps?

Thanks kindly in advance.

 

[qsecofr]

I had some keep-state issues that I couldn't resolve except by selectively allowing through established packets. Not sure that's your issue. But if all else fails, maybe keep it in mind.

 

[Ricky]

Does it work fine for http?

 

[dalecosp]

Does putting keep-state after setup make any difference?

 

[Isosceles_CAT]

Thanks kindly for your input!

@dalecosp: I tried your suggestion, but unfortunately it made no difference.

@ricky: Yes, HTTP works fine, which is confusing because the rules are identical, except for the fact that one is for 80 and the other is 443.

@qsecofr: I'm not exactly sure what you mean here. Can you be more specific?

Thanks again for your time

 

[Ricky]

Try to unload ipfw and check if it works
[CMD=""]kldunload ipfw[/CMD]

If it still doesn't work, it has nothing to do with ipfw

If it does, delete everything beyond the 443 port. Then add what you want(out for example) and at the same time check when it stops working. You can reload the ipfw.rules by using this command:
[CMD=""]sh /etc/ipfw.rules[/CMD] (or whatever path you use)

I am a newbie too so I can't help you much more.

 

[qsecofr]

You might want to enable additional logging of the rules in question to help get a sense of the packet flow. In addition you could try a temporary test and incorporate rules to allow established connections that somehow might skirt around the setup and keep-state flags. You'll need to verify for yourself any potential impact of making the rule set more permissive.

$ipfw -q add allow log all from any to any http,https established out via $pif
$ipfw -q add allow log all from any http,https to any established in via $pif

The rules might go somewhere between your check-state and your 200 & 210 lines. (you do have a check-state somewhere above rule 200, I expect)