[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf blocks ACK response

To: misc@openbsd.org
Subject: Re: pf blocks ACK response
From: Luiz Gustavo <gustavo@shoptime.com>
Date: Tue, 19 Mar 2002 15:26:09 -0300
Content-Disposition: inline
References: <20020319165513.GA7274@hades.shoptime.com> <Pine.SOL.4.21.0203191111003.1646-100000@pulque>

On Tue, Mar 19, 2002 at 11:37:08AM -0600, Ramon Reyes Carrion wrote:

> I am having a problem with OpenBSD 3.0-stable (sunday night's CVS
> repository version, compiled and installed; but the problem is not new!)
> and I assume it is related with pf.
 
> What I think to be relevant is:
 
 Always include everything, sometimes we don't know what is f* and providing
 half rules...   

> # for internal.int
> pass  in  log-all on internal.int from int.net to any
> pass  out log-all on internal.int from any to int.net
> # for external.int
> scrub in log-all on external.int all
> block             out log-all on external.int all
> block             in  log-all on external.int all
> block return-rst  out log-all on external.int proto tcp all
> block return-rst  in  log-all on external.int proto tcp all

 Why don't you do that way?

 block return-rst in log-all on external.int proto tcp all flags S

> block return-icmp out log-all on external.int proto udp all
> block return-icmp in  log-all on external.int proto udp all
> pass out log-all quick on external.int proto tcp from ext.net to any flags S modulate state
> pass out log-all quick on external.int proto udp from ext.net to any keep state
 
> /bsd: pf: BAD state: TCP int.net.host.ip.33157 ext.net.host.ip.61520 148.223.71.252:80 [lo=3173329772 high=3173329774 win=16384 modulator=3401279650] [lo=2014325169 high=2014341577 win=16384 modulator=2173196561] 2:2 A seq=2014325169 ack=3174329772 len=24 ackskew=-1000000 pkts=2 dir=in,rev
> /bsd: pf: State failure on:     3   |    
> /bsd: pf: BAD state: TCP int.net.host.ip.33157 ext.net.host.ip.61520 148.223.71.252:25 [lo=3173329773 high=3173329774 win=16384 modulator=3401279650] [lo=2014325169 high=2014341577 win=16384 modulator=2173196561] 2:2 A seq=2014325169 ack=3174329772 len=24 ackskew=-999999 pkts=4 dir=in,rev
> /bsd: pf: State failure on:     3   |    

 I can be wrong but all your connections are losing states or only certain ones?
 
> I am not an expert at all, so this means ...?

 Neither I. :)

Gustavo

References:
- Re: pf blocks ACK response
  - From: Luiz Gustavo <gustavo@shoptime.com>
- Re: pf blocks ACK response
  - From: Ramon Reyes Carrion <ramon@cimat.mx>

Prev by Date: Re: RAMDISK, part II
Next by Date: Re: Increasing per process memory limit?
Prev by thread: Re: pf blocks ACK response
Next by thread: Re: pf blocks ACK response
Index(es):
- Date
- Thread