Date: Wed, 2 Aug 2006 16:21:29 +0200 From: Frank Steinborn <steinex@nognu.de> To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: I'm getting sick - Problems filtering IPv6. Message-ID: <20060802142129.D0BBDB81E@shodan.nognu.de> In-Reply-To: <200608021601.49038.max@love2party.net> References: <20060801142925.54F5CB828@shodan.nognu.de> <200608011905.55505.max@love2party.net> <20060801172045.5ED63B81E@shodan.nognu.de> <200608021601.49038.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Max Laier wrote:
> >
> > Hello Max,
> >
> > a state is created, yes:
> >
> > self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[62810]
> > SYN_SENT:ESTABLISHED
> > [342525613 + 65536](+2469478632) wscale 1 [3355548528 +
> > 65537](+82545723) wscale 1
> > [1845438366 + 4880](+1776883750) [3423429433 + 65535](+3331864375)
> > age 00:37:53, expires in 00:00:59, 2204:15980 pkts, 107106:2269450
> > bytes
> > age 01:22:57, expires in 00:01:00, 5472:42944 pkts, 324485:6199453
> > bytes
> > age 02:00:22, expires in 00:00:59, 11249:53620 pkts, 967458:7637333
> > bytes
> >
> >
> > Strange thing :-(
>
> Indeed, and far from what I expected to see. These states exist for a long
> time and have seen lots of packets in both directions. Are you sure you
> copied the right counters for that state? Can you please enable extended
> logging with "pfctl -x misc" and report any related messages from console.
> Also, please recheck pfctl -vss for the right state counters. I do get this
> right, the "telnet 2001:1638:17ad::3 53" stalled right away?
You are correct, I probably tried to many telnets so that states are
left. I did it again, and here is the state from the telnet:
self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[59655]
SYN_SENT:ESTABLISHED
[2728554970 + 65536](+2360520929) wscale 1 [1947983223 +
65537](+3290820275) wscale 1
age 00:00:02, expires in 00:00:28, 1:1 pkts, 84:84 bytes, rule 45
There is nothing logged on the console due to pfctl -x misc, so i
tried pfctl -x loud. However, the only thing i see are some
"fingerprinted 84.191.87.127:64944 8576:118:0:48:403 (4)
(TS=,M=536,W=0)" (IP's vary, of course, can't find v6 however)
and
"osfp no match against 3400000".
But i guess that's not important here.
And yes, you got it right - if I "telnet 2001:1638:17ad::3 53" it just
stalls and times out after some time (even when i try block-policy
return). But only on the box itself where pf and named is running,
other boxes can access it fine.
Thanks,
Frank
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060802142129.D0BBDB81E>