bad ruleset - pf not keeping state for some bridged connections?

Ask Bjørn Hansen ask at develooper.com
Wed Sep 20 02:06:59 PDT 2006 

On Sep 6, 2006, at 20:17, Ask Bjørn Hansen wrote:

Sorry about replying to my own mail, I figured I should include a bit  
more debug information.

This is from the Fedora box (64.81.32.148) (behind the freebsd/pf  
bridge/firewall).  It looks like the Fedora box is closing the  
connection after a couple of packets?   (The "F" flag is "FIN", right?)

08:48:23.879289 IP 67.15.155.11.32864 > 64.81.32.148.3309: S  
3300493391:3300493391(0) win 5840 <mss 1460,sackOK,timestamp 4995579  
0,nop,wscale 2>
08:48:23.879535 IP 64.81.32.148.3309 > 67.15.155.11.32864: S  
516984971:516984971(0) ack 3300493392 win 5792 <mss  
1460,sackOK,timestamp 7973585 4995579,nop,wscale 7>
08:48:23.918926 IP 67.15.155.11.32864 > 64.81.32.148.3309: . ack 1  
win 1460 <nop,nop,timestamp 4995620 7973585>
08:48:23.925702 IP 64.81.32.148.3309 > 67.15.155.11.32864: P 1:71(70)  
ack 1 win 46 <nop,nop,timestamp 7973597 4995620>
08:48:23.965967 IP 67.15.155.11.32864 > 64.81.32.148.3309: . ack 71  
win 1460 <nop,nop,timestamp 4995666 7973597>
08:48:28.931214 IP 64.81.32.148.3309 > 67.15.155.11.32864: F 71:71(0)  
ack 1 win 46 <nop,nop,timestamp 7974848 4995666>
08:48:29.175137 IP 64.81.32.148.3309 > 67.15.155.11.32864: F 71:71(0)  
ack 1 win 46 <nop,nop,timestamp 7974909 4995666>
08:48:29.214854 IP 67.15.155.11.32864 > 64.81.32.148.3309: . ack 72  
win 1460 <nop,nop,timestamp 5000916 7974909,nop,nop,sack 1 {71:72}>
08:48:31.441388 IP 67.15.155.11.32864 > 64.81.32.148.3309: FP 1:66 
(65) ack 72 win 1460 <nop,nop,timestamp 5003143 7974909>
08:48:31.441625 IP 64.81.32.148.3309 > 67.15.155.11.32864: R  
516985043:516985043(0) win 0


On the internal interface on the FreeBSD box I get line for line  
*exactly* the same, except for the timestamps (no surprise).

On the external interface (the one facing the internet and the  
connecting box) it was (not the same connection attempt, so the  
timestamp is a few minutes off):

08:52:17.642804 IP 67.15.155.11.32877 > 64.81.32.148.3309: S  
3564356178:3564356178(0) win 5840 <mss 1460,sackOK,timestamp 5229382  
0,nop,wscale 2>
08:52:17.644035 IP 64.81.32.148.3309 > 67.15.155.11.32877: S  
764788140:764788140(0) ack 3564356179 win 5792 <mss  
1460,sackOK,timestamp 8032017 5229382,nop,wscale 7>
08:52:17.682937 IP 67.15.155.11.32877 > 64.81.32.148.3309: . ack 1  
win 1460 <nop,nop,timestamp 5229422 8032017>
08:52:17.684160 IP 64.81.32.148.3309 > 67.15.155.11.32877: P 1:71(70)  
ack 1 win 46 <nop,nop,timestamp 8032027 5229422>
08:52:17.724350 IP 67.15.155.11.32877 > 64.81.32.148.3309: . ack 71  
win 1460 <nop,nop,timestamp 5229463 8032027>
08:52:17.729743 IP 67.15.155.11.32877 > 64.81.32.148.3309: P 1:66(65)  
ack 71 win 1460 <nop,nop,timestamp 5229468 8032027>
08:52:17.968325 IP 67.15.155.11.32877 > 64.81.32.148.3309: P 1:66(65)  
ack 71 win 1460 <nop,nop,timestamp 5229708 8032027>
08:52:18.448706 IP 67.15.155.11.32877 > 64.81.32.148.3309: P 1:66(65)  
ack 71 win 1460 <nop,nop,timestamp 5230188 8032027>
08:52:19.408590 IP 67.15.155.11.32877 > 64.81.32.148.3309: P 1:66(65)  
ack 71 win 1460 <nop,nop,timestamp 5231148 8032027>
08:52:21.328413 IP 67.15.155.11.32877 > 64.81.32.148.3309: P 1:66(65)  
ack 71 win 1460 <nop,nop,timestamp 5233068 8032027>
08:52:22.690688 IP 64.81.32.148.3309 > 67.15.155.11.32877: F 71:71(0)  
ack 1 win 46 <nop,nop,timestamp 8033279 5229463>
08:52:22.729772 IP 67.15.155.11.32877 > 64.81.32.148.3309: F 66:66(0)  
ack 72 win 1460 <nop,nop,timestamp 5234470 8033279>
08:52:22.937111 IP 64.81.32.148.3309 > 67.15.155.11.32877: F 71:71(0)  
ack 1 win 46 <nop,nop,timestamp 8033340 5229463>
08:52:22.975678 IP 67.15.155.11.32877 > 64.81.32.148.3309: . ack 72  
win 1460 <nop,nop,timestamp 5234716 8033340,nop,nop,sack 1 {71:72}>
08:52:25.167728 IP 67.15.155.11.32877 > 64.81.32.148.3309: FP 1:66 
(65) ack 72 win 1460 <nop,nop,timestamp 5236908 8033340>
08:52:25.168725 IP 64.81.32.148.3309 > 67.15.155.11.32877: R  
764788212:764788212(0) win 0


Does this help anyone enough to be able to give me some hints?



  - ask

-- 
http://askask.com/  - http://develooper.com/

More information about the freebsd-pf mailing list