[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf blocks ACK response

To: misc@openbsd.org
Subject: pf blocks ACK response
From: Ramon Reyes Carrion <ramon@cimat.mx>
Date: Tue, 19 Mar 2002 10:34:27 -0600 (CST)

Hi all,

I am having a problem with OpenBSD 3.0-stable (sunday night's CVS
repository version, compiled and installed; but the problem is not new!)
and I assume it is related with pf.

There is one particular (remote) host that I cannot connect to (smtp,
www), from my internal network, going through the box with pf and nat
enabled. What I can gather from tcpdump is that the remote host is
responding with an ACK reply (a bit odd that adds 4 to the seqn!?); and
this reply is not allowed through the box; even though a state is created.

I have tried to change the rules for pf with no success, but all
works fine for other remote hosts.

Below I include the output of tcpdump when I try to connect from
int.net.host.ip to port 25 of the remote host in question. The output is
when tcpdump listens on each of: internal.int, external.int, and pflog0
(having all the rules with log-all). 
The address ext.net.host.ip is the one assigned by nat.

I don't' know any other way of debugging pf. Any ideas on what is going
on, will be very appreciated.

# tcpdump -n -i internal.int host 148.223.71.252  
06:24:49.428997 0800 60: int.net.host.ip.33157 > 148.223.71.252.25: S 3948679054:3948679054(0) win 8760 <mss 1460> (DF)
06:24:52.921882 0800 60: int.net.host.ip.33157 > 148.223.71.252.25: S 3948679054:3948679054(0) win 8760 <mss 1460> (DF)
06:24:54.360065 0800 60: int.net.host.ip.33157 > 148.223.71.252.25: R 3948679055:3948679055(0) win 8760 (DF)

# tcpdump -n -i external.int host 148.223.71.252 
06:24:49.429033 0800 58: ext.net.host.ip.61520 > 148.223.71.252.25: S 2193329216:2193329216(0) win 8760 <mss 1460> (DF)
06:24:49.468504 0800 60: 148.223.71.252.25 > ext.net.host.ip.61520: . 2100638079:2100638083(4) ack 2194329216 win 8760 (DF)
06:24:52.921912 0800 58: ext.net.host.ip.61520 > 148.223.71.252.25: S 2193329216:2193329216(0) win 8760 <mss 1460> (DF)
06:24:52.954774 0800 60: 148.223.71.252.25 > ext.net.host.ip.61520: . 0:4(4) ack 1 win 8760 (DF)
06:24:54.360090 0800 54: ext.net.host.ip.61520 > 148.223.71.252.25: R 2193329217:2193329217(0) win 8760 (DF)

# tcpdump -n -e -i pflog0 host 148.223.71.252
06:24:49.429008 rule 2/0(match): pass in on xl1: int.net.host.ip.33157 > 148.223.71.252.25: S 3948679054:3948679054(0) win 8760 <mss 1460> (DF)
06:24:49.429024 rule 33/0(match): pass out on xl0: ext.net.host.ip.33157 > 148.223.71.252.25: S 3948679054:3948679054(0) win 8760 <mss 1460> (DF)
06:24:52.921896 rule 2/0(match): pass in on xl1: int.net.host.ip.33157 > 148.223.71.252.25: S 3948679054:3948679054(0) win 8760 <mss 1460> (DF)
06:24:52.921909 rule 33/0(match): pass out on xl0: ext.net.host.ip.61520 > 148.223.71.252.25: S 2193329216:2193329216(0) win 8760 <mss 1460> (DF)
06:24:54.360075 rule 2/0(match): pass in on xl1: int.net.host.ip.33157 > 148.223.71.252.25: R 3948679055:3948679055(0) win 8760 (DF)
06:24:54.360087 rule 33/0(match): pass out on xl0: ext.net.host.ip.61520 > 148.223.71.252.25: R 2193329217:2193329217(0) win 8760 (DF)

# pfctl -v -s s | grep 148.223.71.252
TCP  int.net.host.ip.33157 -> ext.net.host.ip.33157 -> 148.223.71.252:25 SYN_SENT:SYN_SENT


Thanks for reading!
Ramon.

Follow-Ups:
- Re: pf blocks ACK response
  - From: Luiz Gustavo <gustavo@shoptime.com>
- Re: pf blocks ACK response
  - From: Daniel Hartmeier <daniel@benzedrine.cx>
- Re: pf blocks ACK response
  - From: Ramon Reyes Carrion <ramon@cimat.mx>
- Re: pf blocks ACK response
  - From: Ramon Reyes Carrion <ramon@cimat.mx>

Prev by Date: Re: Upgrading 3.0 to -current problems
Next by Date: Re: Upgrading 3.0 to -current problems
Prev by thread: execution of /etc/rc during startup
Next by thread: Re: pf blocks ACK response
Index(es):
- Date
- Thread