Watchguard Firebox SVN Errors

Since I installed our new Watchguard Firebox X750e, I’ve been unable to use Subversion from work. I always received this kind of response:

jmoore@www:/usr/web/wordpress> svn switch http://svn.automattic.com/wordpress/branches/2.0
svn: PROPFIND request failed on ‘/wordpress/tags/2.0.4′
svn: PROPFIND of ‘/wordpress/tags/2.0.4′: 400 Bad request: request method not supported (http://svn.automattic.com)

I suspected the new Firebox was to blame, but up until a few weeks ago, I never really cared enough to get in to it. With the release of WordPress 2.0.6 today, I needed to upgrade our intranet and set out to figure out what was up with the HTTP Proxy on the Firebox. These are the errors logged in the

ProxyDeny: HTTP Request method unsupported (HTTP – Outbound-01) src_ip_nat=”66.20.x.x” src_port_nat=”55839″ proxy_act=”HTTP-Client-ESI” method=”PROPFIND”

I almost immediately found this once I started Googling around, which didn’t leave me with a lot of hope because I didn’t want the HTTP Proxy turned off for ALL the hosts on the inside of my network – I liked the protection it was offering except the ones I needed to use SVN from.

My solution ended up being rather simple. Create a new filter policy instead of a proxy and add only the IP addresses of the machines which I use Subversion on in the “From” box. A few clicks will get you up and going. For those of you who like the step-by-step type instructions, “fire” up your Policy Manager and follow along.

  • Click Edit->Add Policy
    Watchguard SVN Fix 01
  • Expand the Packet Filters find and click on HTTP (or HTTPS if the SVN server is running on SSL) and then click the Add button
    Watchguard SVN Fix 02
  • For Name: type in ‘SVN via HTTP‘ or whatever description you want
  • Click the Add button underneth the From: area and use the Add Other… button to add the host IP addresses of the machines you want to use SVN on. Also, be sure to remove the ‘Any-Trusted‘ from that list, or all hosts on the Trusted portion of your network will begin using this new filter instead of the normal HTTP Proxy. When finished, click OK to close the dialog box
    Watchguard SVN Fix 03
    Watchguard SVN Fix 04
  • Click OK to save the new packet filter and then click the Closebutton.
  • Save your new configuration file to your Firebox and watch SVN come alive for those hosts you defined.

Extra Credit: I found a doc on Watchguard’s website explaning why you can’t just add PROPFIND to the allowed HTTP Request types in the HTTP Proxy, and I can sort of see things from their point of view. They only let you add allowed types that are defined in the HTTP 1.1 RFC 2616 spec. However, given the popularity of Subversion and WebDAV along with the age of the spec, they really need to get with the program and patch-up Fireware to make this easier on network admins.