kern/123965: tcpdump does not see outgoing RST when pf is enabled
Kian Mohageri
kian.mohageri at gmail.com
Sat May 24 21:50:02 UTC 2008
>Number: 123965
>Category: kern
>Synopsis: tcpdump does not see outgoing RST when pf is enabled
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat May 24 21:50:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Kian Mohageri
>Release: FreeBSD 7.0-RELEASE i386
>Organization:
>Environment:
System: FreeBSD alvis.restek.wwu.edu 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sat Mar 1 17:41:33 PST 2008 root at alvis.restek.wwu.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
When pf is enabled, block-policy is 'return', and a packet is blocked, pf sends a RST but tcpdump never sees it.
>How-To-Repeat:
- Enable pf with 'set block-policy return' and rules to deny traffic
- Start tcpdump on your FreeBSD 7 host
- Try to connect to FreeBSD 7 host from somewhere (that will be rejected)
- Notice that tcpdump sees the incoming SYN but not the outgoing RST
- Disable pf and try again
- Notice that tcpdump correctly sees both the SYN and the RST
In both cases, the RST *is* originating from the FreeBSD 7 host - that can be verified by tcpdumping on intermediate routers/firewalls.
If it's at all helpful information, a FreeBSD 6.3 host sees the SYN/RST in both cases.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list