keeping state on outgoing connections fails (?)
Guido van Rooij
guido at gvr.org
Wed Sep 3 11:28:53 UTC 2008
Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0.
ep0: 1.2.3.4/24
bge0: 10.0.0.1/24
ruleset (made as simple as possible):
pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2
block drop out log quick on ep0 all
pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
When I telnet from 1.2.3.1 to 10.0.0.2, the packet comes in via ep0
and passes because of rule 1.
Then the packet goes out via bge0, is passed via rule 3 and a satte entry is
created.
The return SYN/ACK comes in via bge0 and passes because of the state entry.
Then the packet should be sent out via ep0, but it is blocked, as pflogd shows:
000000 rule 1/0(match): block out on ep0: 10.0.0.2.25 > 1.2.3.1.1040: S 3255603624:3255603624(0) ack 3600825196 win 65535 <mss 1460,sackOK,eol>
2. 955997 rule 1/0(match): block out on ep0: 10.0.0.2.25 > 1.2.3.1.1040: S 3255603624:3255603624(0) ack 3600825196 win 65535 <mss 1460,sackOK,eol>
2. 999812 rule 1/0(match): block out on ep0: 10.0.0.2.25 > 1.2.3.1.1040: S 3255603624:3255603624(0) ack 3600825196 win 65535 <mss 1460,sackOK,eol>
3. 009226 rule 1/0(match): block out on ep0: 10.0.0.2.25 > 1.2.3.1.1040: S 3255603624:3255603624(0) ack 3600825196 win 65535 <mss 1460,sackOK,eol>
5. 999234 rule 1/0(match): block out on ep0: 10.0.0.2.25 > 1.2.3.1.1040: S 3255603624:3255603624(0) ack 3600825196 win 65535 <mss 1460,sackOK,eol>
A tcpdump of the relevant packets (bad checksum because of chaecksum ofloading):
13:05:39.471200 IP (tos 0x0, ttl 127, id 195, offset 0, flags [DF], proto: TCP (6), length: 48, bad cksum 0 (->ed00)!) 1.2.3.1.1040 > 10.0.0.2.25: S, cksum 0x62e5 (correct), 3600825195:3600825195(0) win 64512 <mss 1460,nop,nop,sackOK>
13:05:39.471378 IP (tos 0x0, ttl 64, id 37525, offset 0, flags [DF], proto: TCP (6), length: 48) 10.0.0.2.25 > 1.2.3.1.1040: S, cksum 0x0c21 (correct), 3255603624:3255603624(0) ack 3600825196 win 65535 <mss 1460,sackOK,eol>
13:05:42.427163 IP (tos 0x0, ttl 127, id 196, offset 0, flags [DF], proto: TCP (6), length: 48, bad cksum 0 (->ecff)!) 1.2.3.1.1040 > 10.0.0.2.25: S, cksum 0x62e5 (correct), 3600825195:3600825195(0) win 64512 <mss 1460,nop,nop,sackOK>
13:05:42.427377 IP (tos 0x0, ttl 64, id 37593, offset 0, flags [none], proto: TCP (6), length: 48) 10.0.0.2.25 > 1.2.3.1.1040: S, cksum 0x0c21 (correct), 3255603624:3255603624(0) ack 3600825196 win 65535 <mss 1460,sackOK,eol>
13:05:45.427182 IP (tos 0x0, ttl 64, id 39074, offset 0, flags [none], proto: TCP (6), length: 48) 10.0.0.2.25 > 1.2.3.1.1040: S, cksum 0x0c21 (correct), 3255603624:3255603624(0) ack 3600825196 win 65535 <mss 1460,sackOK,eol>
13:05:48.436285 IP (tos 0x0, ttl 127, id 197, offset 0, flags [DF], proto: TCP (6), length: 48, bad cksum 0 (->ecfe)!) 1.2.3.1.1040 > 10.0.0.2.25: S, cksum 0x62e5 (correct), 3600825195:3600825195(0) win 64512 <mss 1460,nop,nop,sackOK>
13:05:48.436418 IP (tos 0x0, ttl 64, id 45408, offset 0, flags [none], proto: TCP (6), length: 48) 10.0.0.2.25 > 1.2.3.1.1040: S, cksum 0x0c21 (correct), 3255603624:3255603624(0) ack 3600825196 win 65535 <mss 1460,sackOK,eol>
13:05:54.435645 IP (tos 0x0, ttl 64, id 48287, offset 0, flags [none], proto: TCP (6), length: 48) 10.0.0.2.25 > 1.2.3.1.1040: S, cksum 0x0c21 (correct), 3255603624:3255603624(0) ack 3600825196 win 65535 <mss 1460,sackOK,eol>
pfctl -si before telnetting:
State Table Total Rate
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 0 0.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
After telnetting:
State Table Total Rate
current entries 1
searches 44 1.8/s
inserts 1 0.0/s
removals 0 0.0/s
Counters
match 32 1.3/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
The state entry (pfctl -vvvs state):
self tcp 1.2.3.1:1040 -> 10.0.0.2:25 ESTABLISHED:SYN_SENT
[3600825196 + 65535] [3255603625 + 64512]
age 00:00:22, expires in 00:00:23, 8:5 pkts, 424:240 bytes, rule 2
id: 48be58f800000009 creatorid: 89adbe9b
pfctl -vvvvs rules before the telnet:
@0 pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@1 block drop out log quick on ep0 all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@2 pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
and after:
@0 pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2
[ Evaluations: 32 Packets: 3 Bytes: 144 States: 0 ]
@1 block drop out log quick on ep0 all
[ Evaluations: 5 Packets: 5 Bytes: 240 States: 0 ]
@2 pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
[ Evaluations: 24 Packets: 13 Bytes: 664 States: 1 ]
I would expect the packet to match the state entry, but somehow it does not.
Setting the state-policy to if-bound or floating makes no difference.
My question is why the packet does not match the state entry resulting
to its blocking.
-Guido
More information about the freebsd-pf
mailing list