why BAD state messages

Alexandre Biancalana biancalana at gmail.com
Fri Aug 15 14:33:55 UTC 2008


Hi list,

  I'm experiencing some problems with blocked connections because of
bad states but I need some more information about why this is
happening, if this is timeout between tcp handshake, or state creation
or application trying to talk on closed connection.

  I have two FreeBSD 7-STABLE with PF, carp, pfsync and max carpdev
patch and two application servers (jboss) that listen on port 9090
behind this firewalls, some connections from external clients off this
appservers are (apparently random) being blocked, enabling loud (pfctl
-x loud) I can see in /var/log/messages the following messages:

kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090
10.10.110.34:52347 [lo=3922530250 high=3922595445 win=65535
modulator=0] [lo=3059100500 high=3059158735 win=65195 modulator=0] 4:4
S seq=398900533 (398900533) ack=3059100500 len=0 ackskew=0 pkts=6:20
dir=in,fwd
kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090
10.10.110.34:50668 [lo=395881033 high=395946233 win=65535 modulator=0]
[lo=3568232053 high=3568290288 win=65200 modulator=0] 4:4 S
seq=2480335288 (2480335288) ack=3568232053 len=0 ackskew=0 pkts=6:20
dir=in,fwd
kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090
10.10.110.34:51582 [lo=3528357041 high=3528421509 win=65535
modulator=0] [lo=3809540772 high=3809605893 win=64468 modulator=0] 9:9
S seq=3810516558 (3810516558) ack=3809540772 len=0 ackskew=0 pkts=6:5
dir=in,fwd
kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090
10.10.110.34:50668 [lo=395881033 high=395946233 win=65535 modulator=0]
[lo=3568232053 high=3568290288 win=65200 modulator=0] 4:4 S
seq=2480335288 (2480335288) ack=3568232053 len=0 ackskew=0 pkts=6:20
dir=in,fwd
kernel: pf: BAD state: TCP 10.10.6.18:9090 10.10.6.18:9090
10.10.81.242:2434 [lo=538716318 high=538780855 win=65535 modulator=0]
[lo=1004209856 high=1004274961 win=64537 modulator=0] 4:9 S
seq=1634723484 (1634723484) ack=1004209856 len=0 ackskew=0 pkts=5:4
dir=in,fwd

I tried to set custom tcp timeout options in this rules but this does not help

pass log proto tcp from any to { $apphpr01 $apphpr02 } port { 9090 }
keep state (tcp.opening 60, tcp.closed 180, tcp.finwait 90)


Any ideas on how can I know why this connections are being blocked ??
I can provide any additional information needed.

Regards,
Alexandre


More information about the freebsd-pf mailing list