TCP retransmission on rdr pass or nat pass
Michele Mazzucchi
m.mazzucchi at keencons.com
Sun Dec 7 09:46:34 UTC 2014
Hello folks,
A few weeks ago I noticed random resets in ssh connections. Commands
generating short response sequences were unaffected, while those producing
much output (e.g. scp or cat) would reset the ssh connection.
Log messages going "pf: BAD state: TCP in wire” helped tracking the issue
down to PF. I broke down a “rdr” rule from
rdr pass proto tcp from any to $jail2_pubip port $jail2_tcpports -> $jail2_privip
to
rdr proto tcp from any to $jail2_pubip port $jail2_tcpports -> $jail2_privip
[… ; block in log ; pass out quick]
pass in quick proto tcp from any to $jail2_privip port $jail2_tcpports
This surprisingly solved the issue. I’m not clear here: “pass” rules now default
to “keep state”, but this seems to only apply when they belong to the “Filtering”
region. What’s their behavior when they decorate RDR rules?
Also, why does the lack of a state produce such unpredictable resets?
cheers
-m
More information about the freebsd-pf
mailing list