[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf blocks ACK response

To: "Darren Reed" <avalon@coombs.anu.edu.au>
Subject: Re: pf blocks ACK response
From: "Eduardo B. Fonseca" <ebf@cwb.fnn.net>
Date: Wed, 20 Mar 2002 20:50:45 -0300
Cc: <frank@lugh.de>, <misc@openbsd.org>
References: <200203200122.MAA06132@caligula.anu.edu.au>

heheh...

    at least I made you, finally, say something useful :)

Eduardo.

----- Original Message -----
From: Darren Reed <avalon@coombs.anu.edu.au>
To: Eduardo B. Fonseca <ebf@cwb.fnn.net>
Cc: <frank@lugh.de>; <misc@openbsd.org>
Sent: Tuesday, March 19, 2002 10:22 PM
Subject: Re: pf blocks ACK response


> In some mail from Eduardo B. Fonseca, sie said:
> >
> > If you are not gonna help, please, shut up.
>
> Well, my email was more helpful than yours - pity you can't heed
> your own advice.  but, I think my conclusion is close to right.
> Do you have another even semi-plausible explanation for this
> behaviour of the remote system?
>
> I think the solution is to have this in your rules:
>
> block return-rst in quick proto tcp from 148.223.71.252/32 to any
>
> Darren
>
> > ----- Original Message -----
> > From: Darren Reed <avalon@coombs.anu.edu.au>
> > To: <frank@lugh.de>
> > Cc: <misc@openbsd.org>
> > Sent: Tuesday, March 19, 2002 8:54 PM
> > Subject: Re: pf blocks ACK response
> >
> >
> > > Hmmm, this might be someone's idea of syn-spoofing protection.
> > >
> > > In some mail from Frank Lingott, sie said:
> > > >
> > > > Daniel Hartmeier wrote:
> > > > >
> > > > > On Tue, Mar 19, 2002 at 10:34:27AM -0600, Ramon Reyes Carrion
wrote:
> > > > >
> > > > > > I am having a problem with OpenBSD 3.0-stable (sunday night's
CVS
> > > > > > repository version, compiled and installed; but the problem is
not
> > new!)
> > > > > > and I assume it is related with pf.
> > > > >
> > > > > Thank you for including the right logs. As bizarre as it might
sound,
> > > > > that external host actually seems to have a broken stack.
> > > > >
> > > > > I took the liberty of connecting to it myself, with pf completely
> > > > > disabled:
> > > > >
> > > > > 62.65.145.30.5678 > 148.223.71.252.25: S [tcp sum ok]
> > > > > 673148648:673148648(0) win 16384 <mss
1460,nop,nop,sackOK,nop,wscale
> > > > > 0,nop,nop,timestamp 1420189029 0> (DF) [tos 0x10] (ttl 64, id
62470)
> > > > > 148.223.71.252.25 > 62.65.145.30.5678: . [tcp sum ok]
> > > > > 3620818647:3620818671(24) ack 674148648 win 16384 (DF) [tos 0x10]
(ttl
> > > > > 28, id 62470)
> > > > >
> > > > > My SYN goes out with initial sequence number 673148648. What
_should_
> > > > > come back is a SYN+ACK that acks my ISN+1.
> > > > >
> > > > > What actually comes back is a plain ACK (no SYN flag) for sequence
> > > > > number 674148648. That's exactly 1000000 too much (you got the
same
> > > > > offset in your logs).
> > > > >
> > > > > It's not a valid TCP handshake at all. I doubt _anyone_ can
connect
> > > > > to that external host. If you have administrative control over it
(or
> > > > > know someone who does), it might be worth investigating what's
broken
> > > > > there. But this is certainly not caused by your pf.
> > > > >
> > > > > Daniel
> > > >
> > > > I did some tests from home.
> > > >
> > > > The first was on a linux-box via ssh,i have only user access there.
> > > > Therefore no tcpdump - sorry.
> > > >
> > > > frankli@majestic () telnet 148.223.71.252 25
> > > > Trying 148.223.71.252...
> > > > Connected to customer-148-223-71-252.uninet.net.mx (148.223.71.252).
> > > > Escape character is '^]'.
> > > > 220 inf1fw1.queretaro.gob.mx Generic SMTP handler
> > > > quit
> > > > 221 inf1fw1.queretaro.gob.mx connection
> > > > Connection closed by foreign host.
> > > > [~]
> > > > frankli@majestic ()
> > > >
> > > > frankli@majestic () uname -rs
> > > > Linux 2.4.8-26mdk
> > > > [~]
> > > > frankli@majestic ()
> > > >
> > > > You see - it's the famous buggy kernel 2.4.
> > > > It must have some magic in it's IP-stack,it
> > > > is able to connect to the other box.
> > > >
> > > > frank@bardioc:~ > telnet 148.223.71.252 25
> > > > Trying 148.223.71.252...
> > > >
> > > > One of my old linux-boxes/kernel2.2.14.
> > > > No connect - the same tcpdump as yours.
> > > >
> > > > bash-2.05# tcpdump -i tun0 port 25
> > > > tcpdump: listening on tun0
> > > > 23:18:47.680551 80.144.154.226.54334 > 148.223.71.252.smtp: S
> > > > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp
4381626
> > > > 0,nop,wscale 0> (DF)
> > > > 23:18:48.027103 148.223.71.252.smtp > 80.144.154.226.54334: .
> > > > 895645034:895645054(20) ack 3399322261 win 32120 (DF)
> > > > 23:18:50.672142 80.144.154.226.54334 > 148.223.71.252.smtp: S
> > > > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp
4381926
> > > > 0,nop,wscale 0> (DF)
> > > > 23:18:51.015102 148.223.71.252.smtp > 80.144.154.226.54334: .
0:20(20)
> > > > ack 1 win 32120 (DF)
> > > > 23:18:56.670650 80.144.154.226.54334 > 148.223.71.252.smtp: S
> > > > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp
4382526
> > > > 0,nop,wscale 0> (DF)
> > > > 23:18:57.008589 148.223.71.252.smtp > 80.144.154.226.54334: .
0:20(20)
> > > > ack 1 win 32120 (DF)
> > > > 23:19:08.670886 80.144.154.226.54334 > 148.223.71.252.smtp: S
> > > > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp
4383726
> > > > 0,nop,wscale 0> (DF)
> > > > 23:19:09.015107 148.223.71.252.smtp > 80.144.154.226.54334: .
0:20(20)
> > > > ack 1 win 32120 (DF)
> > > > 23:19:32.670916 80.144.154.226.54334 > 148.223.71.252.smtp: S
> > > > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp
4386126
> > > > 0,nop,wscale 0> (DF)
> > > > 23:19:33.004597 148.223.71.252.smtp > 80.144.154.226.54334: .
0:20(20)
> > > > ack 1 win 32120 (DF)
> > > > 23:20:20.670840 80.144.154.226.63062 > 148.223.71.252.smtp: S
> > > > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp
4390926
> > > > 0,nop,wscale 0> (DF)
> > > > 23:20:21.020114 148.223.71.252.smtp > 80.144.154.226.63062: .
> > > > 895645034:895645054(20) ack 3399322261 win 32120 (DF)
> > > > 23:21:56.670732 80.144.154.226.63062 > 148.223.71.252.smtp: S
> > > > 3398322261:3398322261(0) win 32120 <mss 1460,sackOK,timestamp
4400526
> > > > 0,nop,wscale 0> (DF)
> > > > 23:21:57.002938 148.223.71.252.smtp > 80.144.154.226.63062: .
0:20(20)
> > > > ack 1 win 32120 (DF)
> > > >
> > > > This dump is from my OpenBSD-Router.
> > > > The OpenBSD-Box itself can not connect.
> > > >
> > > > Dont know if this helps,if not delete it.
> > > >
> > > > regards
> > > >
> > > > frank

Follow-Ups:
- Re: pf blocks ACK response
  - From: Darren Reed <avalon@coombs.anu.edu.au>

References:
- Re: pf blocks ACK response
  - From: Darren Reed <avalon@coombs.anu.edu.au>

Prev by Date: NIC choice...
Next by Date: Re: pf does not pass esp?
Prev by thread: Re: pf blocks ACK response
Next by thread: Re: pf blocks ACK response
Index(es):
- Date
- Thread