[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
pf reassemble tcp problem in latest snapshot?
I believe that since I have installed the latest snapshot I have been
unable to do a software update under OSX. However, if I remove
"reassemble tcp" from the scrub options in pf, I can do a software
update. With it turned on, I see traffic coming in from apple which,
after a certain point, is being rejected by pf, but I don't know why.
The session appears to be established correctly.
The session information was gathered when 17.250.248.95 was repeatedly
transmitting the same fragment. I've also included tcpdumps of the
upstream (fxp0) and downstream (fxp1) interfaces, the nat rules and
firewall rules, and a dmesg.
Is this a bug, my error, or apple's? Any thoughts?
self tcp 192.168.1.50:53540 -> 64.81.40.12:64173 -> 17.250.248.95:80
ESTABLISHED:ESTABLISHED
[1535531069 + 16384](+65819495) wscale 0 [2812579687 +
65535](+3705735531) wscale 0
age 00:00:10, expires in 23:59:50, 4:4 pkts, 1083:1690 bytes, rule 4
id: 413d57000000ca45 creatorid: 4129fe95
# tcpdump -pnl -vv host 17.250.248.95
tcpdump: listening on fxp0
00:10:32.780980 64.81.40.12.64173 > 17.250.248.95.80: S [tcp sum ok]
1601349696:1601349696(0) win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 1865794013 0> (ttl 63, id 27519)
00:10:32.799075 17.250.248.95.80 > 64.81.40.12.64173: S [tcp sum ok]
2812578212:2812578212(0) ack 1601349697 win 8760 <mss 1460,nop,wscale
0,nop,nop,timestamp 847591427 1865794013> (DF) [tos 0x20] (ttl 50, id
5650)
00:10:32.799336 64.81.40.12.64173 > 17.250.248.95.80: . [tcp sum ok]
1:1(0) ack 1 win 65535 <nop,nop,timestamp 1865794013 847591427> (ttl
63, id 52266)
00:10:32.839677 64.81.40.12.64173 > 17.250.248.95.80: P 1:868(867) ack
1 win 65535 <nop,nop,timestamp 1865794013 847591427> (ttl 63, id
59243)
00:10:32.867467 17.250.248.95.80 > 64.81.40.12.64173: . [tcp sum ok]
1:1(0) ack 868 win 16384 <nop,nop,timestamp 847591434 1865794013> [tos
0x20] (ttl 50, id 5906)
00:10:32.871284 17.250.248.95.80 > 64.81.40.12.64173: P 1:279(278) ack
868 win 16384 <nop,nop,timestamp 847591434 1865794013> [tos 0x20] (ttl
50, id 6162)
00:10:32.873613 17.250.248.95.80 > 64.81.40.12.64173: P 279:1475(1196)
ack 868 win 16384 <nop,nop,timestamp 847591434 1865794013> [tos 0x20]
(ttl 50, id 6418)
00:10:32.876331 17.250.248.95.80 > 64.81.40.12.64173: .
1475:2923(1448) ack 868 win 65535
<nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos 0x20] (ttl
50, id 49660)
00:10:32.878507 17.250.248.95.80 > 64.81.40.12.64173: .
2923:4371(1448) ack 868 win 65535
<nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos 0x20] (ttl
50, id 49661)
00:10:32.880767 17.250.248.95.80 > 64.81.40.12.64173: .
4371:5819(1448) ack 868 win 65535
<nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos 0x20] (ttl
50, id 49662)
00:10:32.882939 17.250.248.95.80 > 64.81.40.12.64173: .
5819:7267(1448) ack 868 win 65535
<nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos 0x20] (ttl
50, id 49663)
00:10:32.908615 64.81.40.12.64173 > 17.250.248.95.80: . [tcp sum ok]
868:868(0) ack 1475 win 65535 <nop,nop,timestamp 1865794014 847591434>
(ttl 63, id 40796)
00:10:32.989725 17.250.248.95.80 > 64.81.40.12.64173: .
7267:8715(1448) ack 868 win 65535
<nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos 0x20] (ttl
50, id 49682)
00:10:32.991876 17.250.248.95.80 > 64.81.40.12.64173: .
8715:10163(1448) ack 868 win 65535
<nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos 0x20] (ttl
50, id 49683)
00:10:34.313350 17.250.248.95.80 > 64.81.40.12.64173: .
1475:2923(1448) ack 868 win 65535
<nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos 0x20] (ttl
50, id 49991)
00:10:36.311896 17.250.248.95.80 > 64.81.40.12.64173: .
1475:2923(1448) ack 868 win 65535
<nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos 0x20] (ttl
50, id 50674)
00:10:40.313625 17.250.248.95.80 > 64.81.40.12.64173: .
1475:2923(1448) ack 868 win 65535
<nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos 0x20] (ttl
50, id 51536)
00:10:44.679552 64.81.40.12.64173 > 17.250.248.95.80: F [tcp sum ok]
868:868(0) ack 1475 win 65535 <nop,nop,timestamp 1865794037 847591434>
(ttl 63, id 28525)
00:10:44.697770 17.250.248.95.80 > 64.81.40.12.64173: . [tcp sum ok]
1475:1475(0) ack 869 win 16384 <nop,nop,timestamp 847592616
1865794037> [tos 0x20] (ttl 50, id 7698)
^C
29 packets received by filter
0 packets dropped by kernel
# tcpdump -pnl -vv -i fxp1 host 17.250.248.95
tcpdump: listening on fxp1
00:10:32.780902 192.168.1.50.53540 > 17.250.248.95.80: S [tcp sum ok]
1535530201:1535530201(0) win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 2499287682 0> (DF) (ttl 64, id 33626)
00:10:32.799108 17.250.248.95.80 > 192.168.1.50.53540: S [tcp sum ok]
2223346447:2223346447(0) ack 1535530202 win 8760 <mss 1460,nop,wscale
0,nop,nop,timestamp 1722051864 2499287682> [tos 0x20] (ttl 49, id
39969)
00:10:32.799310 192.168.1.50.53540 > 17.250.248.95.80: . [tcp sum ok]
1:1(0) ack 1 win 65535 <nop,nop,timestamp 2499287682 1722051864> (DF)
(ttl 64, id 33627)
00:10:32.839647 192.168.1.50.53540 > 17.250.248.95.80: P 1:868(867)
ack 1 win 65535 <nop,nop,timestamp 2499287682 1722051864> (DF) (ttl
64, id 33628)
00:10:32.867493 17.250.248.95.80 > 192.168.1.50.53540: . [tcp sum ok]
1:1(0) ack 868 win 16384 <nop,nop,timestamp 1722051871 2499287682>
[tos 0x20] (ttl 49, id 50462)
00:10:32.871310 17.250.248.95.80 > 192.168.1.50.53540: P 1:279(278)
ack 868 win 16384 <nop,nop,timestamp 1722051871 2499287682> [tos 0x20]
(ttl 49, id 43602)
00:10:32.873644 17.250.248.95.80 > 192.168.1.50.53540: P
279:1475(1196) ack 868 win 16384 <nop,nop,timestamp 1722051871
2499287682> [tos 0x20] (ttl 49, id 16413)
00:10:32.908589 192.168.1.50.53540 > 17.250.248.95.80: . [tcp sum ok]
868:868(0) ack 1475 win 65535 <nop,nop,timestamp 2499287683
1722051871> (DF) (ttl 64, id 33629)
00:10:44.679501 192.168.1.50.53540 > 17.250.248.95.80: F [tcp sum ok]
868:868(0) ack 1475 win 65535 <nop,nop,timestamp 2499287706
1722051871> (DF) (ttl 64, id 33642)
00:10:44.697798 17.250.248.95.80 > 192.168.1.50.53540: . [tcp sum ok]
1475:1475(0) ack 869 win 16384 <nop,nop,timestamp 1722053053
2499287706> [tos 0x20] (ttl 49, id 46953)
^C
115 packets received by filter
0 packets dropped by kernel
# pfctl -sr
scrub on fxp0 all no-df random-id reassemble tcp fragment reassemble
block drop in log on fxp0 all
block drop in on ! fxp1 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.254 to any
block drop out on fxp0 all
pass out on fxp0 inet proto tcp all flags S/SA modulate state
pass out on fxp0 inet proto udp all keep state
pass out on fxp0 inet proto icmp all keep state
pass out on fxp0 inet proto gre all keep state
pass out on fxp0 inet proto esp all keep state
# pfctl -sn
nat on fxp0 inet from 192.168.1.0/24 to any -> 64.81.40.12
# dmesg
OpenBSD 3.6 (GENERIC) #43: Mon Sep 6 03:04:46 MDT 2004
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 804 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem = 536371200 (523800K)
avail mem = 482516992 (471208K)
using 4278 buffers containing 26923008 bytes (26292K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(5c) BIOS, date 06/21/00, BIOS32 rev. 0 @ 0xf0760
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xf92
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf0ed0/192 (10 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc0000/0xc000 0xcc000/0x1800 0xd0000/0x1800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82815 Hub" rev 0x02: rng active, 10Kb/sec
ppb0 at pci0 dev 1 function 0 "Intel 82815 AGP" rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Nvidia GeForce2 GTS" rev 0xa4
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x01
pci2 at ppb1 bus 2
fxp0 at pci2 dev 11 function 0 "Intel 82557" rev 0x0c: irq 6, address
00:02:b3:c9:4f:fa
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 4
fxp1 at pci2 dev 13 function 0 "Intel 82557" rev 0x0c: irq 5, address
00:02:b3:c9:4e:8f
inphy1 at fxp1 phy 1: i82555 10/100 media interface, rev. 4
ichpcib0 at pci0 dev 31 function 0 "Intel 82801BA LPC" rev 0x01
pciide0 at pci0 dev 31 function 1 "Intel 82801BA IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <IBM-DPTA-372050>
wd0: 16-sector PIO, LBA, 19574MB, 40088160 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <TOSHIBA, CD-ROM XM-6302B, 1017> SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 31 function 2 "Intel 82801BA USB" rev 0x01: irq 12
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82801BA SMBus" rev 0x01 at pci0 dev 31 function 3 not configured
uhci1 at pci0 dev 31 function 4 "Intel 82801BA USB2" rev 0x01: irq 6
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
biomask ff45 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
uhub2 at uhub1 port 2
uhub2: ALCOR Generic USB Hub, class 9/0, rev 1.10/1.00, addr 2
uhub2: 4 ports with 4 removable, self powered