From owner-freebsd-stable@FreeBSD.ORG Thu Jul 12 09:10:23 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AA50B16A400 for ; Thu, 12 Jul 2007 09:10:23 +0000 (UTC) (envelope-from adler@smtp.ru) Received: from smtp1.pochta.ru (smtp1.pochta.ru [81.211.64.6]) by mx1.freebsd.org (Postfix) with ESMTP id 7228213C455 for ; Thu, 12 Jul 2007 09:10:21 +0000 (UTC) (envelope-from adler@smtp.ru) Received: from [195.2.76.131] (helo=suntechnic.mshome.net) by smtp.pochta.ru ( sendmail 8.13.3/8.13.1) with esmtpa id 1I8ugk-000034-Ju for freebsd-stable@freebsd.org; Thu, 12 Jul 2007 13:10:18 +0400 Date: Thu, 12 Jul 2007 13:10:14 +0400 From: Alexey Sopov X-Mailer: The Bat! (v3.5) Professional X-Priority: 3 (Normal) Message-ID: <241432407.20070712131014@smtp.ru> To: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-md5"; boundary="----------11239FB1396C331" Subject: Seems like pf skips some packets. X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: adler List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2007 09:10:23 -0000 ------------11239FB1396C331 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hi On my machine with FreeBSD 6.2-STABLE #4 I noticed there are outgoing packets from net 192.168.0.0/16 on external interface Some details: Here 1 < a,b,c,d,e,f < 254 =20 ~> ifconfig internal internal: flags=3D8843 mtu 1500 options=3D4b inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:04:23:b0:53:ca media: Ethernet autoselect (1000baseTX ) status: active ~> ifconfig external external: flags=3D8843 mtu 1500 options=3D48 inet a.b.c.22 netmask 0xfffffffc broadcast a.b.c.23 ether 00:02:b3:4c:83:6e media: Ethernet autoselect (100baseTX ) status: active ~> grep -v '^#' /etc/pf.conf | grep mynet table { 192.168.0.0/16, 172.16.0.0/16 } =20 ~> sudo pfctl -s a | less No ALTQ support in kernel ALTQ related functions disabled TRANSLATION RULES: nat on external inet from to ! -> a.b.d.240/28 bitmask rdr on external inet proto tcp from any to a.b.e.1 port =3D ftp -> 192.168.= 0.2 port 21 rdr on external inet proto udp from any to a.b.e.1 port =3D 4127 -> 192.168= .0.2 port 4127 rdr on external inet proto tcp from any to a.b.e.1 port =3D 4899 -> 192.168= .0.2 port 4899 rdr on external inet proto tcp from any to a.b.c.22 port =3D 4022 -> 172.16= .56.57 port 22 FILTER RULES: pass in all pass out all pass out quick on external inet from a.b.c.20/30 to any pass out quick on external inet from a.b.d.224/27 to any pass out quick on external inet from a.b.e.0/24 to any block drop out on external all STATES: #a lot of states INFO: Status: Enabled for 0 days 11:06:40 Debug: Urgent Hostid: 0x2055eb8b State Table Total Rate current entries 4182 searches 250779576 6269.5/s inserts 1877065 46.9/s removals 1872883 46.8/s Counters match 165990128 4149.8/s bad-offset 0 0.0/s fragment 15 0.0/s short 2 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 4550 0.1/s proto-cksum 0 0.0/s state-mismatch 6233 0.2/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s TIMEOUTS: tcp.first 30s tcp.opening 5s tcp.established 18000s tcp.closing 60s tcp.finwait 30s tcp.closed 30s tcp.tsdiff 10s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 5s interval 2s adaptive.start 0 states adaptive.end 0 states src.track 0s LIMITS: states hard limit 50000 src-nodes hard limit 30000 frags hard limit 50000 TABLES: mynet OS FINGERPRINTS: 348 fingerprints loaded Here I try to catch packets on external interface: ~> sudo tcpdump -ni external src net 192.168.0.0/16 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on external, link-type EN10MB (Ethernet), capture size 96 bytes 12:59:44.401906 IP 192.168.56.152.1090 > 64.12.31.180.5190: . ack 152898890= 3 win 0 12:59:44.401921 IP 192.168.12.43.60481 > 81.19.88.11.80: . ack 2815867423 w= in 0 12:59:44.401933 IP 192.168.46.101.1650 > 81.176.76.116.80: . ack 669974985 = win 0 12:59:44.401946 IP 192.168.54.12.2124 > 194.145.212.35.80: . ack 2208596276= win 0 12:59:44.401958 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1166126606 = win 0 12:59:44.401971 IP 192.168.46.101.1652 > 81.19.80.2.80: . ack 1004425830 wi= n 0 12:59:44.401983 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1120457487= win 0 12:59:44.401995 IP 192.168.54.71.1578 > 87.248.217.79.80: . ack 2473371997 = win 0 12:59:44.402022 IP 192.168.38.49.4183 > 65.54.195.188.80: . ack 964472648 w= in 0 12:59:44.402041 IP 192.168.42.90.60363 > 66.249.93.91.80: . ack 2862783680 = win 0 12:59:44.402055 IP 192.168.46.46.58867 > 89.188.102.70.80: . ack 2523375288= win 0 12:59:44.402075 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 0 win 0 12:59:44.402087 IP 192.168.60.38.2050 > 66.235.180.76.8080: . ack 244354302= 3 win 0 12:59:49.400160 IP 192.168.42.124.1313 > 81.222.128.13.80: . ack 1468803329= win 0 12:59:49.400176 IP 192.168.42.124.1312 > 81.222.128.13.80: . ack 1482657113= win 0 12:59:49.400190 IP 192.168.42.124.1314 > 81.19.80.2.80: . ack 1518361964 wi= n 0 12:59:49.400202 IP 192.168.42.124.1315 > 217.16.26.60.80: . ack 2295931572 = win 0 12:59:49.400218 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1 win 0 12:59:49.400229 IP 192.168.42.124.1311 > 81.222.128.13.80: . ack 1477893358= win 0 12:59:49.400242 IP 192.168.42.60.61035 > 203.75.40.14.21: . ack 2868867767 = win 0 12:59:49.400255 IP 192.168.42.124.1309 > 194.67.23.108.80: . ack 2813951723= win 0 12:59:49.400269 IP 192.168.38.16.1311 > 88.85.78.58.80: . ack 3157990844 wi= n 0 12:59:49.400281 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1 win 0 12:59:49.400318 IP 192.168.11.118.2487 > 213.180.214.31.80: . ack 0 win 0 12:59:49.400331 IP 192.168.52.33.64997 > 193.192.41.2.80: . ack 69990011 wi= n 0 12:59:49.400352 IP 192.168.24.16.1047 > 64.12.31.144.5190: . ack 2248286157= win 0 12:59:49.400371 IP 192.168.60.38.2057 > 66.235.180.76.8080: . ack 245816057= 0 win 0 12:59:49.400383 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 1 win 0 ^C 28 packets captured 45864 packets received by filter 0 packets dropped by kernel Why these packets weren't translated by pf nat rules or filtered by pf block rule? Note they appear once in five seconds. Tried to modify frag parameter, but this didn't help. Also I noticed they all have ACK bit set. Thank you. =20 --=20 mailto:adler@smtp.ru ------------11239FB1396C331 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6 iQEVAwUARpXv9s3W5eUnRI4pAQF49Qf/ZSdEL+Mbjeva93ej1rasuvcR0+QLgpMQ AY/606swDgqOvQ/c8p7wypEUuMxs0MLou96cSShmP4oG7NlvOrVvl2bwdkr/JXif HLyDyQdYPYSXMgFspU/m6jnS+lFM7RHUooE0Q+PoTQL2+eUSfZZQrHW+CuLdb+PS 8ejAuYN557mX3w5PgwjKjf5OEedsaClBQrOU34l9bqMMKy7Xg2ed79zL0sRczkrx w7ML6uJo4h5u1yAT9mfAwJvX81UID4vZUxPBMEZSufx8mTjHgdqEU9Qj0efih1Dd ZXOinQOuJvtskqO33HrslIjN36P/YvUl7Ob50hp5/FArp6cjpJfgbg== =0QFS -----END PGP MESSAGE----- ------------11239FB1396C331--