Last Address on Interface Receiving RST ACK.
Jason Hellenthal
jhell at DataIX.net
Thu Sep 8 05:53:30 UTC 2011
Net,
With a default setup of dc0 on 8.2-STABLE r224908 I have noticed that
when the interface is configured with more than one address that the
last address configured recieves RSTs & ACKs that were generated on the
primary address.
The configuration is like such:
PF with no NAT or redirection.
Default route: 192.168.1.1
ipv4_addrs_dc0="192.168.1.2/24"
And then a jail brings up alias 192.168.1.100/32
I have mail pulling down to this system every 20 minutes and this is
repeated every 20 minutes but not soley dependent to just this service
or destination.
Rule 26: block drop in log quick proto tcp from !<trusted> port < 1024
to any
Keep in mind the only way I caught this is because the jail is not
generating any traffic and since there is no state for that address this
rule kicks in to block what should not be recieved by that address.
Any help with this would be appreciated.
00:56:05.274815 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 13179, offset 0, flags [none], proto TCP (6), length 40)
91.121.XXX.XXX.443 > 192.168.1.100.33581: Flags [R.], cksum 0x0a57 (correct), seq 1397498691, ack 1491506967, win 0, length 0
00:56:49.351521 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 44594, offset 0, flags [none], proto TCP (6), length 40)
74.125.XXX.X.443 > 192.168.1.100.58794: Flags [R.], cksum 0x0268 (correct), seq 3217610262, ack 840102530, win 0, length 0
00:57:49.465331 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 49671, offset 0, flags [none], proto TCP (6), length 40)
74.125.XXX.XX.443 > 192.168.1.100.35474: Flags [R.], cksum 0x5c5e (correct), seq 3787279118, ack 1664887624, win 0, length 0
00:58:23.524232 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 54499, offset 0, flags [none], proto TCP (6), length 40)
74.125.XXX.XXX.993 > 192.168.1.100.55544: Flags [R.], cksum 0x9962 (correct), seq 1419741552, ack 2168011860, win 0, length 0
00:58:49.586119 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 61912, offset 0, flags [none], proto TCP (6), length 40)
74.125.XXX.XX.443 > 192.168.1.100.64663: Flags [R.], cksum 0xf8db (correct), seq 1228724784, ack 2559832299, win 0, length 0
00:58:51.573874 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 49850, offset 0, flags [none], proto TCP (6), length 40)
12.22.XX.XX.873 > 192.168.1.100.60330: Flags [R.], cksum 0xfcbd (correct), seq 1803075968, ack 944126062, win 0, length 0
00:59:05.594207 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 18167, offset 0, flags [none], proto TCP (6), length 40)
12.22.XX.XX.873 > 192.168.1.100.16970: Flags [R.], cksum 0x851b (correct), seq 1913818609, ack 3282631427, win 0, length 0
01:08:24.602213 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 19516, offset 0, flags [none], proto TCP (6), length 40)
74.125.XXX.XX.993 > 192.168.1.100.27724: Flags [R.], cksum 0xa62d (correct), seq 3861575754, ack 1373823783, win 0, length 0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 522 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20110908/3f8bf04f/attachment.pgp
More information about the freebsd-net
mailing list