From owner-freebsd-pf@FreeBSD.ORG Thu May 4 16:40:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B0FC16A400 for ; Thu, 4 May 2006 16:40:18 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A9C243D48 for ; Thu, 4 May 2006 16:40:17 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k44Gdwwx009616 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 4 May 2006 18:39:59 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k44GdwXT017837; Thu, 4 May 2006 18:39:58 +0200 (MEST) Date: Thu, 4 May 2006 18:39:57 +0200 From: Daniel Hartmeier To: Dmitry Andrianov Message-ID: <20060504163957.GD8160@insomnia.benzedrine.cx> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: IPSEC tunnel problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 16:40:18 -0000 On Thu, May 04, 2006 at 08:03:55PM +0400, Dmitry Andrianov wrote: > May 4 19:52:53 vrn1 kernel: pf: BAD state: TCP 10.2.0.2:3389 > 10.2.0.2:3389 192.168.10.100:1919 [lo=4162748520 high=4162681620 > win=65535 modulator=0] [lo=0 high=65535 win=1 modulator=0] 2:0 PA > seq=4162748520 ack=0 len=632 ackskew=0 pkts=245:0 dir=out,fwd The 'dir=out,fwd' part means that the state was created from a packet going out on the interface (gif0, I assume), and that the packet being blocked here was in the same direction. The 'pkts=245:0' part means that the state entry has so far matched 245 packets flowing in the same direction (out), but 0 in the reverse direction (in). And that's the problem, pf is not associating replies with the state entry. Because of that, the state entry does not advance its sequence number window (advertised in the replies), and eventually stalls the connection. This is probably related to the gif interface. I haven't tried it on FreeBSD, but for stateful filtering, it would be important that pf sees packets in both directions on that interface (i.e. SYN outgoing, SYN+ACK incoming, etc.) You can test what packets pf sees in what direction on an interface by replacing the ruleset with a single rule like pass log all and observing pflog0 (with tcpdump, for instance) while establishing a connection. If only packets of one direction are seen (or both outgoing and incoming packets are seen as having the same direction), there might be a problem with pfil hooks in gif. Daniel