Re: pf blocks ACK response

[Daniel Hartmeier <daniel@benzedrine.cx>]

On Tue, Mar 19, 2002 at 10:34:27AM -0600, Ramon Reyes Carrion wrote:

> I am having a problem with OpenBSD 3.0-stable (sunday night's CVS
> repository version, compiled and installed; but the problem is not new!)
> and I assume it is related with pf.

Thank you for including the right logs. As bizarre as it might sound,
that external host actually seems to have a broken stack.

I took the liberty of connecting to it myself, with pf completely
disabled:

62.65.145.30.5678 > 148.223.71.252.25: S [tcp sum ok]
673148648:673148648(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 1420189029 0> (DF) [tos 0x10] (ttl 64, id 62470)
148.223.71.252.25 > 62.65.145.30.5678: . [tcp sum ok]
3620818647:3620818671(24) ack 674148648 win 16384 (DF) [tos 0x10] (ttl
28, id 62470)

My SYN goes out with initial sequence number 673148648. What _should_
come back is a SYN+ACK that acks my ISN+1.

What actually comes back is a plain ACK (no SYN flag) for sequence
number 674148648. That's exactly 1000000 too much (you got the same
offset in your logs).

It's not a valid TCP handshake at all. I doubt _anyone_ can connect
to that external host. If you have administrative control over it (or
know someone who does), it might be worth investigating what's broken
there. But this is certainly not caused by your pf.

Daniel