PF Wordpress and Serendipity maybe being affected by packet filtering

from https://groups.google.com/g/comp.lang.php/c/QKZnFFaeH6E




I am seeing weird errors as follows:

Code:
2022/11/17 21:09:25 [error] 48261#101347: *432718 FastCGI sent in stderr: "PHP message: PHP Warning: An unexpected error occurred. Something may be wrong with WordPress.org or this server&#8217;s configuration. If you continue to have problems, please try the <a href="https://wordpress.org/support/forums/">support forums</a>. (WordPress could not establish a secure connection to WordPress.org. Please contact your server administrator.) in /usr/home/klint/html/wp-admin/includes/plugin-install.php on line 183" while reading upstream, client: 75.156.190.254, server: [URL='http://performanceplanning.ca/']performanceplanning.ca[/URL], request: "GET /wp-admin/plugin-install.php HTTP/3.0", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", referrer: "https://klint.ca/wp-admin/plugins.php"

and
Code:
2022/11/17 22:02:01 [error] 61870#100691: *77 FastCGI sent in stderr: "PHP messa
ge: PHP Fatal error: Uncaught Error: Call to a member function getStatus() on null in /usr/home/doctor/html/blog/serendipity/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php:458
#0 /usr/home/doctor/html/blog/serendipity/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php(641): serendipity_event_spartacus->fetchfile('[URL='https://raw.git./']https://raw.git.[/URL]..', '/usr/home/docto...', 43200, true)
#1 /usr/home/doctor/html/blog/serendipity/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php(1302): serendipity_event_spartacus->fetchOnline('sidebar')
#2 /usr/home/doctor/html/blog/serendipity/include/plugin_api.inc.php(1184): serendipity_event_spartacus->event_hook('backend_plugins...', Object(serendipity_property_bag), Array, NULL)
#3 /usr/home/doctor/html/blog/serendipity/include/admin/plugins.inc.php(160): serendipity_plugin_api::hook_event('backend_plugins...', Array)
#4 /usr/home/doctor/html/blog/serendipity/serendipity_admin.php(127): include('/usr/home/docto...')
thrown in /usr/home/doctor/html/blog/serendipity/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php on line 458" while reading response header from upstream, client: 75.156.190.254, server: [URL='http://www.nk.ca/']www.nk.ca[/URL], request: "GET /~doctor/blog/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[adminAction]=addnew&serendipity[only_group]=UPGRADE&serendipity[token]=4baa76c4e646fa57664731401fd12b70 HTTP/3.0", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", referrer: "[URL]https://www.nk.ca/~doctor/blog/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins[/URL]"
Did the following tests

host wordpress.org
wordpress.org has address 198.143.164.252
wordpress.org mail is handled by 10 mail.wordpress.org.


The Doctor
unread,
06:56 (16 hours ago)






to
In article <jtufva...@mid.individual.net>,
J.O. Aho <us...@example.net> wrote:
>On 20/11/2022 03.51, The Doctor wrote:
>> Arno Welzel <use...@arnowelzel.de> wrote:
>
>>> Looks like Serendipity tries to install or update a WordPress plugin and
>>> your "nginx on FreeBSD with packet fitlering" prohibits the connection.
>>>
>>
>> HOw do we test if this is the case?
>
>First see if you can resolve the domain name to an ip on the machine
>
>host wordpress.org

wordpress.org has address 198.143.164.252
wordpress.org mail is handled by 10 mail.wordpress.org.

>
>also check if you can connect to it
>
>wget -S https://wordpress.org
>

wget -v -v -v -v -v -v -v -v -v -v -S https://wordpress.org
--2022-11-20 06:54:04-- https://wordpress.org/
Resolving wordpress.org (wordpress.org)... 198.143.164.252
Connecting to wordpress.org (wordpress.org)|198.143.164.252|:443... failed: Operation timed out.
Retrying.

--2022-11-20 06:55:20-- (try: 2) https://wordpress.org/
Connecting to wordpress.org (wordpress.org)|198.143.164.252|:443...

tcptraceroute wordpress.org
Selected device igb0, address 204.209.81.1, port 58686 for outgoing packets
Tracing the path to wordpress.org (198.143.164.252) on TCP port 80 (http), 30 hops max
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *

And the pf.conf looks like
Code:
## Set your public interface ##
ext_if="igb0"
##Internal bridge for virtually hosted machines
int_if="bridge0"
## Set your server public IP address ##
ext_if_ip="public IP to the world"
int_if_ip="Virtual bridge IP"
#vpn interface
vpn_if="tun0"
vpn_net="10.8.0.0/16"
#vpn interface
tcpvpn_if="tun1"
tcpvpn_net="10.9.0.0/16"
#vpn interface
pptpvpn_if="pptptun0"
pptpvpn_net="10.10.0.0/16"
wgvpn_if="wg0"
wgvpn_net="10.14.0.0/16"
#Proxy for FTP
proxy="127.0.0.1"
proxyport="8021"
#All virtal machines go here!
sl="IP for VM 1"
fedora="IP for VM 2"
centos="IP for VM 3"
debian="IP for VM 4"
centos8="IP for VM 5"
ubuntu="IP for VM 6"
win2019="IP for VM 7"
kali="IP for VM 8"
oracle="IP for VM 9"
aaron="IP for VM 10"
ssh_port = "22"
#In case you need a whole group
vhosts =" { All 9 Ips with VMs }"
## Set and drop these IP ranges on public interface and any other troublemakers ##

martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
       10.0.0.0/13,10.15.0.0/16,10.16.0.0/12,10.32.0.0/11,10.64.0.0/10,10.128.0.0/9, \
        169.254.0.0/16, 192.0.2.0/24, \
       0.0.0.0/8, 240.0.0.0/4, 185.162.235.0/24, \
       87.145.0.0/16 }"
## Set http(80)/https (443) port here and other ports that need accessing ##
webports = "{http, https,119,561,110,143,993,995,20,21,23,79,25,465,587,53,513,783,2228,3310,36941,3128,69,10000,20000,43,63,4321,1701,500,4500,5555,1723,47,9090,8000:8100,8443,51820,5900:5999,49150:61000}"
# Radius
radiusports = "{1645,1646,1812,1813 }"

# --- pptp server ---
PPTP_SERVER = "IP of server"

# --- pptp services ---
PPTP_SERVICES = "{ 1723 47 }"

## enable these services ##
int_tcp_services = "{domain, ntp, smtp,nntp, smtps,submission, www, https,20, ftp, ssh,openvpn,110,143,636,993,995,443,561,783,2228,3310,7500,10000,20000,43,63,4321,36941,3128,1701,500,4500,5555,1723,47,980,9090,8000:8100,5900:5999,23,8443,51820,49150:61000}"
int_udp_services = "{domain, ntp,69,openvpn}"
int_radius_services = "{1645,1646,1812,1813 }"

table <allowed> { 10.0.0.0/8 }
 
## Skip loop back interface - Skip all PF processing on interface bridge and virtual hosts  ##
set skip on lo
set skip on wg
set skip on wg0
set skip on ng
set skip on ng0
set skip on ng1
set skip on ng2
set skip on ng3
set skip on ng4
set skip on ng5
set skip on ng6
set skip on ng7
set skip on ng8
set skip on ng9
set skip on ng10
set skip on ng11
set skip on ng12

set skip on ng13
set skip on ng14
set skip on ng15
set skip on tun
set skip on tun0
set skip on tun1
set skip on bridge0
set skip on tap0
set skip on tap1
set skip on tap2
set skip on tap3
set skip on tap4
set skip on tap5
set skip on tap6
set skip on tap7
set skip on tap8
set skip on tap9
set skip on tap10
set skip on tap11
set skip on tap12
set skip on tap13
set skip on tap14
set skip on tap15

set block-policy return
 
## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if
set fingerprints "/etc/pf.os" 

# Deal with attacks based on incorrect handling of packet fragments 
scrub in all

###################  TRANSLATION #############

#### NAT and RDR start
nat on ! $vpn_if from $vpn_net to any -> $ext_if_ip
nat on ! $tcpvpn_if from $vpn_net to any -> $ext_if_ip
nat on ! $pptpvpn_if from $pptpvpn_net to any -> $ext_if_ip
nat on ! $wgvpn_if from $wgvpn_net to any -> $ext_if_ip
nat on $ext_if from $int_if to any -> ($ext_if)
nat on $int_if from $sl to any -> ($int_if)
nat on $int_if from $fedora to any -> ($int_if)
nat on $int_if from $centos to any -> ($int_if)
nat on $int_if from $debian to any -> ($int_if)
nat on $int_if from $centos8 to any -> ($int_if)
nat on $int_if from $ubuntu to any -> ($int_if)
nat on $int_if from $win2019 to any -> ($int_if)
nat on $int_if from $kali to any -> ($int_if)
nat on $int_if from $oracle to any -> ($int_if)
nat on $int_if from $aaron to any -> ($int_if)
nat on $int_if from $vpn_net to any -> ($int_if)
nat on $ext_if inet from $vpn_net to any ->$ext_if 
nat on $ext_if from $vpn_net to any ->$ext_if 
#nat on $ext_if from <allowed> to any -> $ext_if_ip

## PLease note for virtual machines you are passing the packects via the
## Virtual switch so treat as michine (tap) into switch (Bridge) into
## your macine acting as the host (exit)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
 
# Redirect ftp traffic to proxy
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
P_SERVER

## Set default policy ##
block return in log all
block out all

#block in
#pass in on $ext_if inet from $vpn_net to any -> $ext_if

# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 20
pass out proto tcp from $proxy to any port 21
pass out on $ext_if inet proto {tcp, udp} from $ext_if to any port ftp:ftp-proxy
pass in on egress proto tcp to port 21
pass in on egress proto tcp to port 20
pass in on egress proto tcp to port > 19151
pass out quick on egress inet proto tcp from any to 204.209.81.1 flags S/SA
pass out quick on egress inet proto tcp from any to 204.209.81.3 flags S/SA

#set up virtual switch


pass in quick on bridge0 all
pass quick on tap0 all 
pass quick on tap1 all 
pass quick on tap2 all 
pass quick on tap3 all 
pass quick on tap4 all 
pass quick on tap5 all 
pass quick on tap6 all 
pass quick on tap7 all 
pass quick on tap8 all 
pass quick on tap9 all 
pass quick on tap10 all 
pass quick on tap11 all 
pass quick on tap12 all 
pass quick on tap13 all 
pass quick on tap14 all 
pass quick on tap15 all 
pass quick on tun0 all
pass quick on wg0 all
pass quick on ng0 all
pass quick on ng1 all
pass quick on ng2 all
pass quick on ng2 all
pass quick on ng3 all
pass quick on ng4 all
pass quick on ng5 all
pass quick on ng6 all
pass quick on ng7 all
pass quick on ng8 all
pass quick on ng9 all
# Drop all Non-Routable Addresses 
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block drop in quick on $vhosts from $martians to any
block drop out quick on $vhosts from any to $martians
 
## Blocking spoofed packets
antispoof quick for $ext_if
antispoof quick for $vhosts
 
# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons 
#pass in quick on $ext_if inet proto tcp from 204.209.81.0/24 to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"
## Use the following rule to enable ssh for ALL users from any IP address #
## pass in inet proto tcp to $ext_if port ssh
### [ OR ] ###
pass in inet proto tcp to $ext_if_ip port 22 
pass in inet proto tcp to $vhosts port 22 
pass in inet proto tcp to $ext_if_ip port 2228 
pass in inet proto tcp to $vhosts port 2228 

pass in quick on $int_if inet from <allowed> to any keep state
pass out quick on $int_if inet from any to any keep state

# Allow Ping-Pong stuff. Be a good sysadmin 
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types keep state
# allow out the default range for traceroute(8):
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $int_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $vhosts inet proto udp from any to any port 33433 >< 33626 keep state
  
# All access to our Nginx/Apache/Lighttpd Webserver and other ports 
pass proto tcp from any to $ext_if port $webports
pass proto udp from any to $ext_if port $webports
pass proto udp from any to $ext_if port $radiusports
pass proto tcp from any to $vhosts port $webports
pass proto udp from any to $vhosts port $webports

 
# Allow essential outgoing traffic 
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
pass out quick on $ext_if proto udp to any port $int_radius_services
pass out quick on $vhosts proto tcp to any port $int_tcp_services
pass out quick on $vhosts proto udp to any port $int_udp_services
pass in proto tcp from any to any port 53
pass in proto udp from any to any port 53
#pass in  $vpn_if from any to any
pass in quick proto udp from any to any port 1194 
 
pass out proto tcp from any to any port 53
pass out proto udp from any to any port 53

pass in quick proto esp from any to any 
pass in quick proto ah from any to any 
pass in quick proto ipencap from any to any 
pass in quick proto udp from any to any port 500
# pass in quick on gif0 from any to any
pass out quick proto esp from any to any 
pass out quick proto ah from any to any 
pass out quick proto ipencap from any to any 
pass out quick proto udp from any to any port 500
# pass out quick on gif0 from any to any
pass in quick on $ext_if inet proto { tcp udp } from any to $PPTP_SERVER port $PPTP_SERVICES keep state

pass out quick on $ext_if inet from any to any keep state

#For radius make certain for older syatems port 1645 and current 1812
pass in log quick on $ext_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1645 keep state
pass in log quick on $ext_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1812 keep state
pass out quick all flags S/SA keep state

pass in quick proto ah from any to any 
pass in quick proto ipencap from any to any 
pass in quick proto udp from any to any port 500
# pass in quick on gif0 from any to any
pass out quick proto esp from any to any 
pass out quick proto ah from any to any 
pass out quick proto ipencap from any to any 
pass out quick proto udp from any to any port 500
# pass out quick on gif0 from any to any
pass in quick on $ext_if inet proto { tcp udp } from any to $PPTP_SERVER port $PPTP_SERVICES keep state

pass out quick on $ext_if inet from any to any keep state

#For radius make certain for older syatems port 1645 and current 1812
pass in log quick on $ext_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1645 keep state
pass in log quick on $ext_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1812 keep state
pass out quick all flags S/SA keep state

pass in quick proto ah from any to any 
pass in quick proto ipencap from any to any 
pass in quick proto udp from any to any port 500
# pass in quick on gif0 from any to any
pass out quick proto esp from any to any 
pass out quick proto ah from any to any 
pass out quick proto ipencap from any to any 
pass out quick proto udp from any to any port 500
# pass out quick on gif0 from any to any
pass in quick on $ext_if inet proto { tcp udp } from any to $PPTP_SERVER port $PPTP_SERVICES keep state

pass out quick on $ext_if inet from any to any keep state

#For radius make certain for older syatems port 1645 and current 1812
pass in log quick on $ext_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1645 keep state
pass in log quick on $ext_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1812 keep state
pass out quick all flags S/SA keep state

# Add custom rules below
block quick from <bruteforce>
pass quick proto { tcp, udp } from any to any port ssh \
    flags S/SA keep state \
    (max-src-conn 15, max-src-conn-rate 5/3, \
    overload <bruteforce> flush global)
## I wonder if sshguard works with pf.
Anything irregular?
 
Your pf is a big mess. You need to make some reorder and cleanup.

Can you allow all outgoing traffic temporary and check if your connectivity issue is resolved by adding the following right before your block rule.

I assume that igb0 is your WAN interface and your nginx is using the IP address of this interface.

pass out quick on igb0 proto tcp all flags S/SA modulate state
pass out quick on igb0 proto udp all keep state
pass out quick on igb0 proto icmp all keep state
...
# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block drop in quick on $vhosts from $martians to any
block drop out quick on $vhosts from any to $martians

After that check if you have ping and you can reach the web site from the server.
openssl s_client -state -nbio -connect wordpress.org:443
exit
 
Code:
ping wordpress.org
PING wordpress.org (198.143.164.252): 56 data bytes
^C
--- wordpress.org ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
You have new mail.
 tcptraceroute wordpress.org
Selected device igb0, address 204.209.81.1, port 49488 for outgoing packets
Tracing the path to wordpress.org (198.143.164.252) on TCP port 80 (http), 30 hops max
 1  * * *

And
Code:
openssl s_client -state -nbio -connect wordpress.org:443
34374492160:error:0200203C:system library:connect:Operation timed out:crypto/bio/b_sock2.c:110:
34374492160:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
connect:errno=60
 
Code:
ping netknow.nk.ca
PING netknow.nk.ca (204.209.81.2): 56 data bytes
64 bytes from 204.209.81.2: icmp_seq=0 ttl=64 time=0.529 ms
64 bytes from 204.209.81.2: icmp_seq=1 ttl=64 time=0.524 ms
64 bytes from 204.209.81.2: icmp_seq=2 ttl=64 time=0.454 ms
64 bytes from 204.209.81.2: icmp_seq=3 ttl=64 time=0.440 ms

so yes
 
Also the code in question from openssl
Code:
    if (connect(sock, BIO_ADDR_sockaddr(addr),
                BIO_ADDR_sockaddr_size(addr)) == -1) {
        if (!BIO_sock_should_retry(-1)) {
            SYSerr(SYS_F_CONNECT, get_last_socket_error()); /* line 110 */
            BIOerr(BIO_F_BIO_CONNECT, BIO_R_CONNECT_ERROR); /* line 111 */
        }
        return 0;
    }
 
The openssl s_client is just to test the connection to the https and retrieve the certificate. In your case it doesn't connect.

The next step is to use pflog with "log" option on the block rules and then monitor the pflog0 interface using tcpdump -n -e -ttt -i pflog0 to see at which rule number the packet get blocked. Then to list all rules with they ID number using pfctl -sr -vv and check the rule that get match.

in /etc/rc.conf add
pflog_enable="yes"
pflog_logfile="/var/log/pflog"

service pflog start

Also if you don't debug anything specific remove all other log options from the rest of the rules you don't need them as this will generate a lot of noise in the log.

tcpdump -n -e -ttt -i pflog0 inbound and action block and on igb0
 
tcpdumps did not record any transaction from 198.143.164.252 / wordpress.org

Also pfctl -sr -vv is attached
 

Attachments

  • pcftp4.txt
    149 KB · Views: 58
Last edited by a moderator:
Add the log (all) option on your ICMP pass rule then ping 8.8.8.8 and observe the output of tcpdump -n -v -e -ttt -i pflog0
pass out log (all) quick on igb0 proto icmp all keep state

You should see a match at rule number @14 and if your routing is correct you should have ping response.
route -n get 8.8.8.8

Also show me the NAT table pfctl -s nat
 
Code:
tcpdump -n -v -e -ttt -i pflog0 > ~doctor/pflog2022112201.txt

less ~doctor/pflog2022112201.txt | egrep 8.8.8.8
 00:00:00.231795 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 506, length 64
 00:00:00.021903 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 506, length 64
 00:00:00.044992 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 507, length 64
 00:00:00.021753 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 507, length 64
 00:00:00.031525 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 508, length 64
 00:00:00.011600 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 508, length 64
 00:00:00.033477 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 509, length 64
 00:00:00.010754 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 509, length 64
 00:00:00.331253 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 510, length 64
 00:00:00.021747 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 510, length 64
 00:00:00.058183 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 511, length 64
 00:00:00.021764 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 511, length 64
 00:00:00.043787 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 512, length 64
 00:00:00.009545 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 512, length 64
 00:00:00.025754 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 513, length 64
 00:00:00.021787 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 513, length 64
 00:00:00.024391 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 514, length 64
 00:00:00.021749 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 514, length 64
 00:00:00.161188 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 515, length 64
 00:00:00.021740 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 515, length 64
 00:00:00.040667 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 516, length 64
 00:00:00.021779 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 516, length 64
 00:00:00.010889 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 517, length 64
 00:00:00.021786 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 517, length 64
 00:00:00.002848 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 518, length 64
 00:00:00.022002 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 518, length 64
 00:00:00.035654 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 519, length 64
 00:00:00.001798 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 519, length 64
 00:00:00.093177 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 520, length 64
 00:00:00.021779 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 520, length 64
 00:00:00.021129 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 521, length 64
 00:00:00.021750 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 521, length 64
 00:00:00.026954 rule 14/0(match): pass out on igb0: 204.209.81.1 > 8.8.8.8: ICMP echo request, id 48471, seq 522, length 64
 00:00:00.012013 rule 14/0(match): pass in on igb0: 8.8.8.8 > 204.209.81.1: ICMP echo reply, id 48471, seq 522, length 64

route -n get 8.8.8.8
   route to: 8.8.8.8
destination: 0.0.0.0
       mask: 0.0.0.0
    gateway: 204.209.81.2
        fib: 0
  interface: igb0
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0
pfctl -s nat is attached
 

Attachments

  • pflog2022112202.txt
    70.5 KB · Views: 53
All right
Code:
ping wordpress.org
PING wordpress.org (198.143.164.252): 56 data bytes
^C
--- wordpress.org ping statistics ---
97 packets transmitted, 0 packets received, 100.0% packet loss

less ~doctor/pflog2022112203.txt | egrep 198.143.164.252
 00:00:00.001136 rule 14/0(match): pass out on igb0: 204.209.81.1 > 198.143.164.252: ICMP echo request, id 50304, seq 23, length 64
 00:00:00.163041 rule 14/0(match): pass out on igb0: 204.209.81.1 > 198.143.164.252: ICMP echo request, id 50304, seq 24, length 64
 00:00:00.103530 rule 14/0(match): pass out on igb0: 204.209.81.1 > 198.143.164.252: ICMP echo request, id 50304, seq 25, length 64
 00:00:00.095763 rule 14/0(match): pass out on igb0: 204.209.81.1 > 198.143.164.252: ICMP echo request, id 50304, seq 26, length 64
 00:00:00.110666 rule 14/0(match): pass out on igb0: 204.209.81.1 > 198.143.164.252: ICMP echo request, id 50304, seq 27, length 64
 00:00:00.006709 rule 14/0(match): pass out on igb0: 204.209.81.1 > 198.143.164.252: ICMP echo request, id 50304, seq 28, length 64
 00:00:00.173162 rule 14/0(match): pass out on igb0: 204.209.81.1 > 198.143.164.252: ICMP echo request, id 50304, seq 29, length 64
 00:00:00.131229 rule 14/0(match): pass out on igb0: 204.209.81.1 > 198.143.164.252: ICMP echo request, id 50304, seq 30, length 64
 00:00:00.089861 rule 14/0(match): pass out on igb0: 204.209.81.1 > 198.143.164.252: ICMP echo request, id 50304, seq 31, length 64
 00:00:00.240402 rule 14/0(match): pass out on igb0: 204.209.81.1 > 198.143.164.252: ICMP echo request, id 50304, seq 32, length 64
 00:00:00.066174 rule 14/0(match): pass out on igb0: 204.209.81.1 > 198.143.164.252: ICMP echo request, id 50304, seq 33, length 64
 00:00:00.204357 rule 14/0(match): pass out on igb0: 204.209.81.1 > 198.143.164.252: ICMP echo request, id 50304, seq 34, length 64
root@doctor:/etc # route -n get 198.143.164.252
   route to: 198.143.164.252
destination: 0.0.0.0
       mask: 0.0.0.0
    gateway: 204.209.81.2
        fib: 0
  interface: igb0
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0
 
Most likely your IP is blacklisted somewhere at they side. You can ask your ISP to check if he can reach 198.143.164.252 from 204.209.81.2 as there's possibility that it's a routing issue at your ISP.
Also to be 100% sure that's it's not your PF firewall you can temporary disable it and test again with ping. Keep in mind that this will interrupt all NAT connections and your other hosts behind the PF will not have internet.

From my Network the router before 198.143.164.252 is 64.94.34.70 so you can try to ping 64.94.34.70 to see if you have connection to it.
 
Code:
tcptraceroute 64.94.34.70
Selected device igb0, address 204.209.81.1, port 40039 for outgoing packets
Tracing the path to 64.94.34.70 on TCP port 80 (http), 30 hops max
 1  netknow.nl2k.ab.ca (204.209.81.2)  0.331 ms  0.286 ms  0.267 ms
 2  free-96-9.incentre.net (198.161.96.9)  10.329 ms  0.398 ms  0.431 ms
 3  STTLWAWBCI01.bb.telus.com (75.154.217.108)  20.621 ms  21.758 ms  20.537 ms
 4  seattle-ix.pnap.net (206.81.80.149)  21.827 ms  21.769 ms  21.840 ms
 5  bbr2.ae7.sef.pnap.net (64.95.158.78)  20.961 ms  20.902 ms  20.977 ms
 6  bbr3.ae102.chg.pnap.net (64.95.158.86)  50.762 ms  49.362 ms  49.451 ms
 7  core6.et-0-0-3.inapvox.chg.pnap.net (64.95.158.253)  60.545 ms  60.694 ms  63.945 ms
 8  border4.et-4-0-2-bbnet3.chg.pnap.net (64.94.32.8)  60.941 ms  60.676 ms  67.526 ms
 9  inapvoxcust-LAG.border4.chg.pnap.net (64.94.34.70) [closed]  61.414 ms  61.289 ms  61.304 ms
and
Code:
whois 198.143.164.252
% IANA WHOIS server
% for more information on IANA, visit [URL]http://www.iana.org[/URL]
% This query returned 1 object

refer:        whois.arin.net

inetnum:      198.0.0.0 - 198.255.255.255
organisation: Administered by ARIN
status:       LEGACY

remarks:      198.18.0.0/15 reserved for Network Interconnect Device
remarks:      Benchmark Testing [RFC2544]. Complete registration
remarks:      details for 198.18.0.0/15 are found
remarks:      iniana-ipv4-special-registry.198.51.100.0/24 reserved
remarks:      for TEST-NET-2 [RFC5737]. Complete registration details
remarks:      for 198.51.100.0/24 are found
remarks:      iniana-ipv4-special-registry.

whois:        whois.arin.net

changed:      1993-05
source:       IANA

# whois.arin.net

NetRange:       198.143.128.0 - 198.143.191.255
CIDR:           198.143.128.0/18
NetName:        SINGLEHOP
NetHandle:      NET-198-143-128-0-1
Parent:         NET198 (NET-198-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS32475
Organization:   SingleHop LLC (SL-1370)
RegDate:        2012-05-16
Updated:        2018-02-27
Ref:            [URL]https://rdap.arin.net/registry/ip/198.143.128.0[/URL]


OrgName:        SingleHop LLC
OrgId:          SL-1370
Address:        250 Williams Street
Address:        Suite E-100
City:           Atlanta
StateProv:      GA
PostalCode:     30303
Country:        US
RegDate:        2018-02-15
Updated:        2022-10-14
Ref:            [URL]https://rdap.arin.net/registry/entity/SL-1370[/URL]

ReferralServer:  rwhois://rwhois.singlehop.net:4321

OrgAbuseHandle: NETWO1546-ARIN
OrgAbuseName:   Network Operations
OrgAbusePhone:  +1-312-386-6210 
OrgAbuseEmail:  [email]netops@singlehop.com[/email]
OrgAbuseRef:    [URL]https://rdap.arin.net/registry/entity/NETWO1546-ARIN[/URL]

OrgTechHandle: NETWO1546-ARIN
OrgTechName:   Network Operations
OrgTechPhone:  +1-312-386-6210 
OrgTechEmail:  [email]netops@singlehop.com[/email]
OrgTechRef:    [URL]https://rdap.arin.net/registry/entity/NETWO1546-ARIN[/URL]

OrgNOCHandle: NETWO1546-ARIN
OrgNOCName:   Network Operations
OrgNOCPhone:  +1-312-386-6210 
OrgNOCEmail:  [email]netops@singlehop.com[/email]
OrgNOCRef:    [URL]https://rdap.arin.net/registry/entity/NETWO1546-ARIN[/URL]


# rwhois.singlehop.net

%rwhois V-1.5:003eff:00 rwhois.singlehop.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:ORG-SINGL-8.198-143-164-0/24
network:Auth-Area:198.143.128.0/18
network:IP-Network:198.143.164.0/24
network:Organization:The Wordpress Foundation
network:Street-Address:660 4TH ST # 119
network:City:SAN FRANCISCO
network:State:CA
network:Postal-Code:94107
network:Country-Code:US
network:Tech-Contact;I:NETWO1546-ARIN
network:Admin-Contact;I:NETWO1546-ARIN
network:Abuse-Contact;I:ABUSE2492-ARIN
network:Created:20171214
network:Updated:20171214

%ok
 
For serendipity I just got

Just tried again


gives

The URL https://raw.github.com/s9y/additional_plugins/master/package_sidebar_en.xml (IP 185.199.110.133) could not be opened. Maybe the Serendipity or SourceForge.net Server is down - we are sorry, you need to try again later.

from my error_logs we see

2022/11/23 19:02:50 [error] 47227#103021: *391188 FastCGI sent in stderr: "PHP message: PHP Warning: chmod(): Operation not permitted in /usr/home/doctor/html/blog/serendipity/bundled-libs/voku/simple-cache/src/voku/cache/AdapterFileAbstract.php on line 104" while reading response header from upstream, client: 216.244.66.248, server: www.nk.ca, request: "GET /%7Edoctor/blog/serendipity/index.php?/archives/2022/02/02.html HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", host: "www.nk.ca"
2022/11/23 19:02:59 [error] 47227#103021: *391218 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Error: Call to a member function getStatus() on null in /usr/local/www/nginx-dist/blog/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php:458
#0 /usr/local/www/nginx-dist/blog/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php(641): serendipity_event_spartacus->fetchfile('https://raw.git...', '/usr/local/www/...', 43200, true)
#1 /usr/local/www/nginx-dist/blog/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php(1302): serendipity_event_spartacus->fetchOnline('sidebar')
#2 /usr/local/www/nginx-dist/blog/include/plugin_api.inc.php(1184): serendipity_event_spartacus->event_hook('backend_plugins...', Object(serendipity_property_bag), Array, NULL)
#3 /usr/local/www/nginx-dist/blog/include/admin/plugins.inc.php(160): serendipity_plugin_api::hook_event('backend_plugins...', Array)
#4 /usr/local/www/nginx-dist/blog/serendipity_admin.php(127): include('/usr/local/www/...')
thrown in /usr/local/www/nginx-dist/blog/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php on line 458" while reading response header from upstream, client: 204.209.81.1, server: www.nk.ca, request: "GET /blog/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[adminAction]=addnew&serendipity[only_group]=UPGRADE&serendipity[token]=dfcf4a17e14e0559b1a7d9a9eda16252 HTTP/3.0", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", referrer: "https://www.nk.ca/blog/serendipity_admin.php?serendipity[adminModule]=plugins"
 
First message might be file (?) permissions? Look at line 104 of /usr/home/doctor/html/blog/serendipity/bundled-libs/voku/simple-cache/src/voku/cache/AdapterFileAbstract.php and see what it is trying to do - the chmod() call is failing.

From some of your earlier messages - as VladiBG has said, the XML file is missing. Not sure if related - there seems to be a lot going on.
Code:
$ ftp http://s9y.org/mirror/package_sidebar_en.xml 
Trying 185.26.156.208...
Requesting http://s9y.org/mirror/package_sidebar_en.xml
Redirected to https://s9y.org/mirror/package_sidebar_en.xml
Trying 185.26.156.208...
Requesting https://s9y.org/mirror/package_sidebar_en.xml
ftp: Error retrieving https://s9y.org/mirror/package_sidebar_en.xml: 404 Not Found
 
I was using an OpenBSD machine and the ftp client is in base and does the same as wget or curl but doesn't need anything installed - but the main point is that as VladiBG is telling you - that file cannot be found.
 
Back
Top