[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pf blocking FIN packets, why?

To: Stephen Marley <stephen@openkast.com>
Subject: Re: Pf blocking FIN packets, why?
From: Mike Frantzen <frantzen@w4g.org>
Date: Wed, 13 Feb 2002 10:10:35 -0500
Cc: "'misc@openbsd.org'" <misc@openbsd.org>
Content-Disposition: inline
References: <B3CF4D2DF451D411B27300D0B77E6A700DF0E9@vorlich.openkast.com>

> We've recently installed an ADSL line an I'm using it with a dual nic
> openbsd 3.0 box as a nat router/firewall. Looking at the pflog output I see
> quite a few entries like this:
> Feb 13 09:23:52.071823 rule 4/0(match): block in on fxp1:
> fm385.facility.pipex.com.www > aslak.openkast.com.59427: F

Many OS stacks will send out FINs out of window.  PF has a loose state
match for such spurious packets but it is possible for the FIN to be too
far out of window (I have never seen this).  The other possibility is
that the web server is sending the spurious FIN after the connection
closes.  All of the connection closing timeouts (tcp.closing,
tcp.finwait and tcp.closed) were chosen to miss less than 1/100,000 of
the connections but you may be the statistic ;-)

You could try either increasing those three timeouts via:
  # pfctl -t tcp.closing=3600
  # pfctl -t tcp.finwait=600
  # pfctl -t tcp.closed=180
Or switch all of the timeouts to more conservative settings:
  # pfctl -O conservative

To determine if the packets are window misses:
  # pfctl -x misc
And the kernel will print messages to the console about state match
misses.

.mike

References:
- Pf blocking FIN packets, why?
  - From: Stephen Marley <stephen@openkast.com>

Prev by Date: Re: vpn
Next by Date: LVS under OpenBSD?
Prev by thread: Pf blocking FIN packets, why?
Next by thread: loadbalancing 2 webservers servers
Index(es):
- Date
- Thread