Having a couple of issues

Max Laier max at love2party.net
Sat Nov 11 22:29:58 UTC 2006 

On Saturday 11 November 2006 21:07, Kimi Ostro wrote:
> Hi folks,
>
> I'm having two issues, first one is lots of these:
>
> pf: loose state match: TCP IiP.IiP.IiP.8:52621 XiP.XiP.XiP.199:62555
> 80.91.229.5:119 [l
> o=3269014705 high=3269020496 win=32844 modulator=4099273154 wscale=1]
> [lo=141076 3470 high=1410829151 win=5792 modulator=37226129 wscale=0] 9:4 R
> seq=3269014705 ack=1410763470 len=0 ackskew=0 pkts=87:65
>
> sprinkeled with a few of these:
>
> pf: BAD state: TCP IiP.IiP.IiP.8:62611 XiP.XiP.XiP.199:58398
> 83.143.169.1:80 [lo=408513
> 2808 high=4085138601 win=32768 modulator=3334704359 wscale=1] [lo=172073751
> high =172139287 win=5792 modulator=2536699106 wscale=2] 4:2 R
> seq=4085132808 ack=1720 73751 len=0 ackskew=0 pkts=1:5 dir=out,fwd
> pf: State failure on:         |

You get these when there is something strange going on in your tcp-stack.  It 
means that your tcp stack and pf disagree about something in the tcp 
exchange.  Unfortunately, the message you are quoting (in part) is not really 
telling us, which part the disagreement was about.  Can you look for messages 
that have "State failure on: some number" in them?

> Also my other issue is FTP. I had FTP working before I lost my current
> ruleset due to a HD crash and decided to use ftp/pftpx from ports.
>
> in /var/log/messages I get a few of these show up:
>
> Nov 11 20:01:36 ehost pftpx[46924]: #157 proxy cannot connect to
> server 64.39.2.174: Operation not permitted
> Nov 11 20:01:36 ehost pftpx[46924]: #158 proxy cannot connect to
> server 192.35.244.50: Operation not permitted
> Nov 11 20:01:38 ehost pftpx[46924]: #163 proxy cannot connect to
> server 213.135.44.35: Operation not permitted
> Nov 11 20:01:38 ehost pftpx[46924]: #164 proxy cannot connect to
> server 212.14.28.36: Operation not permitted
> Nov 11 20:01:39 ehost pftpx[46924]: #165 proxy cannot connect to
> server 212.101.4.244: Operation not permitted
> Nov 11 20:01:39 ehost pftpx[46924]: #166 proxy cannot connect to
> server 193.206.140.34: Operation not permitted
> Nov 11 20:01:40 ehost pftpx[46924]: #167 proxy cannot connect to
> server 66.98.251.159: Operation not permitted
>
> which if think is related to the next part..
>
> tcpdump -net -s0 -i pflog0 shows the packet's blocked.
>
> Can anyone help? I'm a little rusty :(
>
> --
>
> % cat /etc/pf.conf
>
> ext_if = "tun0"
> prv_if = "fxp0"
> lpb_if = "lo0"
>
> #set loginterface $prv_if
> set state-policy if-bound
> #set skip on $lpb_if
> #set debug misc
>
> scrub in on $ext_if \
>  all \
>  min-ttl 100 \
>  no-df \
>  fragment drop-ovl
>
> scrub out on $ext_if \
>  all \
>  min-ttl 10 \
>  random-id
>
> altq on $ext_if priq bandwidth 1Mb \
>  queue { Realtime High AboveNormal Normal BelowNormal Low }
>   queue Realtime priority 15 priq
>   queue High priority 12 priq
>   queue AboveNormal priority 9 priq
>   queue Normal priority 6 priq( default )
>   queue BelowNormal priority 3 priq
>   queue Low priority 0 priq
>
> no nat on $ext_if \
>  inet \
>  from $prv_if:network \
>  to $prv_if:network
>
> nat on $ext_if \
>  inet proto { tcp udp } \
>  from $prv_if:network \
>  to any \
>  tag prv_natted \
>  -> ($ext_if:0)
>
> nat-anchor "pftpx/*"
> rdr-anchor "pftpx/*"
>
> rdr pass on $prv_if \
>  inet proto tcp \
>  from $prv_if:network \
>  to any port = ftp \
>  -> $lpb_if:0 port ftp-proxy
>
> block drop log on $ext_if
>
> block return log on ! $ext_if
>
> pass quick on $lpb_if
>
> pass in quick on $prv_if \
>  inet proto udp \
>  from 0.0.0.0 port dhcpc \
>  to 255.255.255.255 port dhcps
>
> pass quick on $prv_if \
>  from $prv_if:network \
>  to $prv_if:network
>
> pass in on $prv_if \
>  inet proto { tcp udp } \
>  from $prv_if:network \
>  to ! $prv_if:network \
>  flags S/SA modulate state
>
> pass out on $ext_if \
>  inet proto udp \
>  from ($ext_if:0) \
>  to any port = domain \
>  keep state \
>  queue High \
>  tagged prv_natted
>
> pass out on $ext_if \
>  inet proto udp \
>  from ($ext_if:0) \
>  to any port = ntp \
>  keep state \
>  queue High
>
> anchor "pftpx/*"
>
> pass out on $ext_if \
>  inet proto tcp \
>  from ($ext_if:0) \
>  to any port { http https 8008 8080 } \
>  flags S/SA modulate state \
>  queue Normal \
>  tagged prv_natted
>
> pass out on $ext_if \
>  inet proto tcp \
>  from ($ext_if:0) \
>  to any port { 1863 5050 5222:5223 } \
>  flags S/SA modulate state \
>  queue BelowNormal \
>  tagged prv_natted
>
> pass out on $ext_if \
>  inet proto tcp \
>  from ($ext_if:0) \
>  to any port { smtp pop3 imap nntp smtps pop3s imaps nntps } \
>  flags S/SA modulate state \
>  queue BelowNormal \
>  tagged prv_natted
>
> pass out on $ext_if \
>  inet proto tcp \
>  from ($ext_if:0) \
>  to any port { cvsup cvspserver } \
>  flags S/SA modulate state \
>  queue BelowNormal \
>  tagged prv_natted
>
> pass out on $ext_if \
>  inet proto tcp \
>  from ($ext_if:0) \
>  to any port = ssh \
>  flags S/SA modulate state \
>  queue (BelowNormal High) \
>  tagged prv_natted
>
> pass out on $ext_if \
>  inet proto tcp \
>  from ($ext_if:0) \
>  to any \
>  flags S/SA modulate state \
>  tagged prv_natted
>
> antispoof for { $ext_if $prv_if $lpb_if }
>
> # EOF
>
> Help? I tend to think the real problem is the object between the
> screen and the chair..

More information about the freebsd-pf mailing list