Weird Problem with NAT - more details

Washington Odhiambo odhiambo at gmail.com
Fri Sep 21 10:43:24 PDT 2007 

Here is what tcpdump shows:

spamfilter# tcpdump -vv -s 200 -i em0 src host 62.8.64.102
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 200 bytes
20:29:37.401847 IP (tos 0x10, ttl  58, id 10542, offset 0, flags [DF],
proto: TCP (6), length: 58) gw.57736 > 212.22.160.35.smtp: P, cksum
0xb82c
 (correct), 3160106269:3160106275(6) ack 3361902259 win 33072
<nop,nop,timestamp 40703548 1109963>
20:29:37.406392 IP (tos 0x10, ttl  58, id 10544, offset 0, flags [DF],
proto: TCP (6), length: 52) gw.57736 > 212.22.160.35.smtp: ., cksum
0x86ea
 (correct), 6:6(0) ack 48 win 33072 <nop,nop,timestamp 40703559 1116367>
20:29:37.406395 IP (tos 0x10, ttl  58, id 10545, offset 0, flags [DF],
proto: TCP (6), length: 52) gw.57736 > 212.22.160.35.smtp: F, cksum
0x86e9
 (correct), 6:6(0) ack 48 win 33072 <nop,nop,timestamp 40703559 1116367>
20:29:38.045803 IP (tos 0x10, ttl  58, id 10554, offset 0, flags [DF],
proto: TCP (6), length: 64) gw.64570 > 212.22.160.35.smtp: S, cksum
0xce1f
 (correct), 4219889009:4219889009(0) win 65535 <mss 1390,nop,wscale
1,nop,nop,timestamp 40703686 0,sackOK,eol>
20:29:38.050332 IP (tos 0x10, ttl  58, id 10556, offset 0, flags [DF],
proto: TCP (6), length: 52) gw.64570 > 212.22.160.35.smtp: ., cksum
0x821e
 (correct), 4219889010:4219889010(0) ack 697685838 win 33072
<nop,nop,timestamp 40703687 1116496>
20:29:38.151100 IP (tos 0x10, ttl  58, id 10559, offset 0, flags [DF],
proto: TCP (6), length: 52) gw.64570 > 212.22.160.35.smtp: ., cksum
0x81bd
 (correct), 0:0(0) ack 76 win 33072 <nop,nop,timestamp 40703708 1116497>
20:29:56.811400 IP (tos 0x10, ttl  58, id 10571, offset 0, flags [DF],
proto: TCP (6), length: 58) gw.64570 > 212.22.160.35.smtp: P, cksum
0x8b2c
 (correct), 0:6(6) ack 76 win 33072 <nop,nop,timestamp 40707435 1116497>
20:29:56.831815 IP (tos 0x10, ttl  58, id 10573, offset 0, flags [DF],
proto: TCP (6), length: 52) gw.64570 > 212.22.160.35.smtp: ., cksum
0x644b
 (correct), 6:6(0) ack 123 win 33072 <nop,nop,timestamp 40707441 1120249>
20:29:56.831818 IP (tos 0x10, ttl  58, id 10574, offset 0, flags [DF],
proto: TCP (6), length: 52) gw.64570 > 212.22.160.35.smtp: F, cksum
0x644a
 (correct), 6:6(0) ack 123 win 33072 <nop,nop,timestamp 40707441 1120249>
20:29:59.111452 IP (tos 0x10, ttl  58, id 10593, offset 0, flags [DF],
proto: TCP (6), length: 64) gw.50020 > 212.22.160.35.pop3: S, cksum
0x0171
 (correct), 552613063:552613063(0) win 65535 <mss 1390,nop,wscale
1,nop,nop,timestamp 40707895 0,sackOK,eol>
20:30:02.086455 IP (tos 0x10, ttl  58, id 10597, offset 0, flags [DF],
proto: TCP (6), length: 64) gw.50020 > 212.22.160.35.pop3: S, cksum
0xff18
 (correct), 552613063:552613063(0) win 65535 <mss 1390,nop,wscale
1,nop,nop,timestamp 40708495 0,sackOK,eol>
20:30:05.290926 IP (tos 0x10, ttl  58, id 10598, offset 0, flags [DF],
proto: TCP (6), length: 64) gw.50020 > 212.22.160.35.pop3: S, cksum
0xfc98
 (correct), 552613063:552613063(0) win 65535 <mss 1390,nop,wscale
1,nop,nop,timestamp 40709135 0,sackOK,eol>
20:30:08.486187 IP (tos 0x10, ttl  58, id 10599, offset 0, flags [DF],
proto: TCP (6), length: 48) gw.50020 > 212.22.160.35.pop3: S, cksum
0x7834
 (correct), 552613063:552613063(0) win 65535 <mss 1390,sackOK,eol>
20:30:11.700449 IP (tos 0x10, ttl  58, id 10600, offset 0, flags [DF],
proto: TCP (6), length: 48) gw.50020 > 212.22.160.35.pop3: S, cksum
0x7834
 (correct), 552613063:552613063(0) win 65535 <mss 1390,sackOK,eol>
^C
14 packets captured
111 packets received by filter
0 packets dropped by kernel
spamfilter# tcpdump -vv -s 200 -i em0 src host 62.8.64.102
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 200 bytes
20:30:44.177381 IP (tos 0x10, ttl  58, id 10640, offset 0, flags [DF],
proto: TCP (6), length: 64) gw.53026 > 212.22.160.35.3000: S, cksum
0x85c1
 (correct), 4224097118:4224097118(0) win 65535 <mss 1390,nop,wscale
1,nop,nop,timestamp 40716912 0,sackOK,eol>
20:30:47.172263 IP (tos 0x10, ttl  58, id 10644, offset 0, flags [DF],
proto: TCP (6), length: 64) gw.53026 > 212.22.160.35.3000: S, cksum
0x8369
 (correct), 4224097118:4224097118(0) win 65535 <mss 1390,nop,wscale
1,nop,nop,timestamp 40717512 0,sackOK,eol>
20:30:50.396927 IP (tos 0x10, ttl  58, id 10645, offset 0, flags [DF],
proto: TCP (6), length: 64) gw.53026 > 212.22.160.35.3000: S, cksum
0x80e9
 (correct), 4224097118:4224097118(0) win 65535 <mss 1390,nop,wscale
1,nop,nop,timestamp 40718152 0,sackOK,eol>

More information about the freebsd-pf mailing list