[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf blocks ACK response

To: misc@openbsd.org
Subject: Re: pf blocks ACK response
From: Frank Lingott <frank@lugh.de>
Date: Tue, 19 Mar 2002 23:34:49 +0100
References: <Pine.SOL.4.21.0203191018001.1646-100000@pulque> <20020319220411.A7580@insomnia.benzedrine.cx>

Daniel Hartmeier wrote:
> 
> On Tue, Mar 19, 2002 at 10:34:27AM -0600, Ramon Reyes Carrion wrote:
> 
> > I am having a problem with OpenBSD 3.0-stable (sunday night's CVS
> > repository version, compiled and installed; but the problem is not new!)
> > and I assume it is related with pf.
> 
> Thank you for including the right logs. As bizarre as it might sound,
> that external host actually seems to have a broken stack.
> 
> I took the liberty of connecting to it myself, with pf completely
> disabled:
> 
> 62.65.145.30.5678 > 148.223.71.252.25: S [tcp sum ok]
> 673148648:673148648(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
> 0,nop,nop,timestamp 1420189029 0> (DF) [tos 0x10] (ttl 64, id 62470)
> 148.223.71.252.25 > 62.65.145.30.5678: . [tcp sum ok]
> 3620818647:3620818671(24) ack 674148648 win 16384 (DF) [tos 0x10] (ttl
> 28, id 62470)
> 
> My SYN goes out with initial sequence number 673148648. What _should_
> come back is a SYN+ACK that acks my ISN+1.
> 
> What actually comes back is a plain ACK (no SYN flag) for sequence
> number 674148648. That's exactly 1000000 too much (you got the same
> offset in your logs).
> 
> It's not a valid TCP handshake at all. I doubt _anyone_ can connect
> to that external host. If you have administrative control over it (or
> know someone who does), it might be worth investigating what's broken
> there. But this is certainly not caused by your pf.
> 
> Daniel

I did some tests from home.

The first was on a linux-box via ssh,i have only user access there.
Therefore no tcpdump - sorry.

frankli@majestic () telnet 148.223.71.252 25
Trying 148.223.71.252...
Connected to customer-148-223-71-252.uninet.net.mx (148.223.71.252).
Escape character is '^]'.
220 inf1fw1.queretaro.gob.mx Generic SMTP handler
quit
221 inf1fw1.queretaro.gob.mx connection
Connection closed by foreign host.
[~]
frankli@majestic () 

frankli@majestic () uname -rs
Linux 2.4.8-26mdk
[~]
frankli@majestic ()

You see - it's the famous buggy kernel 2.4.
It must have some magic in it's IP-stack,it
is able to connect to the other box. 

frank@bardioc:~ > telnet 148.223.71.252 25
Trying 148.223.71.252...

One of my old linux-boxes/kernel2.2.14.
No connect - the same tcpdump as yours.

bash-2.05# tcpdump -i tun0 port 25
tcpdump: listening on tun0
23:18:47.680551 80.144.154.226.54334 > 148.223.71.252.smtp: S
3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4381626
0,nop,wscale 0> (DF)
23:18:48.027103 148.223.71.252.smtp > 80.144.154.226.54334: .
895645034:895645054(20) ack 3399322261 win 32120 (DF)
23:18:50.672142 80.144.154.226.54334 > 148.223.71.252.smtp: S
3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4381926
0,nop,wscale 0> (DF)
23:18:51.015102 148.223.71.252.smtp > 80.144.154.226.54334: . 0:20(20)
ack 1 win 32120 (DF)
23:18:56.670650 80.144.154.226.54334 > 148.223.71.252.smtp: S
3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4382526
0,nop,wscale 0> (DF)
23:18:57.008589 148.223.71.252.smtp > 80.144.154.226.54334: . 0:20(20)
ack 1 win 32120 (DF)
23:19:08.670886 80.144.154.226.54334 > 148.223.71.252.smtp: S
3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4383726
0,nop,wscale 0> (DF)
23:19:09.015107 148.223.71.252.smtp > 80.144.154.226.54334: . 0:20(20)
ack 1 win 32120 (DF)
23:19:32.670916 80.144.154.226.54334 > 148.223.71.252.smtp: S
3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4386126
0,nop,wscale 0> (DF)
23:19:33.004597 148.223.71.252.smtp > 80.144.154.226.54334: . 0:20(20)
ack 1 win 32120 (DF)
23:20:20.670840 80.144.154.226.63062 > 148.223.71.252.smtp: S
3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4390926
0,nop,wscale 0> (DF)
23:20:21.020114 148.223.71.252.smtp > 80.144.154.226.63062: .
895645034:895645054(20) ack 3399322261 win 32120 (DF)
23:21:56.670732 80.144.154.226.63062 > 148.223.71.252.smtp: S
3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp 4400526
0,nop,wscale 0> (DF)
23:21:57.002938 148.223.71.252.smtp > 80.144.154.226.63062: . 0:20(20)
ack 1 win 32120 (DF)

This dump is from my OpenBSD-Router.
The OpenBSD-Box itself can not connect.

Dont know if this helps,if not delete it.

regards

frank

Follow-Ups:
- Re: pf blocks ACK response
  - From: Darren Reed <avalon@coombs.anu.edu.au>

References:
- pf blocks ACK response
  - From: Ramon Reyes Carrion <ramon@cimat.mx>
- Re: pf blocks ACK response
  - From: Daniel Hartmeier <daniel@benzedrine.cx>

Prev by Date: Re: 3.0-stable builds are driving me nuts
Next by Date: patch: wsmoused + X
Prev by thread: Re: pf blocks ACK response
Next by thread: Re: pf blocks ACK response
Index(es):
- Date
- Thread