Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Jul 2007 13:10:14 +0400
From:      Alexey Sopov <adler@smtp.ru>
To:        freebsd-stable@freebsd.org
Subject:   Seems like pf skips some packets.
Message-ID:  <241432407.20070712131014@smtp.ru>
next in thread | raw e-mail | index | archive | help 
------------11239FB1396C331
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

  Hi

  On my machine with FreeBSD 6.2-STABLE #4 I noticed there are
  outgoing packets from net 192.168.0.0/16 on external interface

  Some details:
  Here 1 < a,b,c,d,e,f < 254
 =20

~> ifconfig internal
internal: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3D4b<RXCSUM,TXCSUM,VLAN_MTU,POLLING>
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        ether 00:04:23:b0:53:ca
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
~> ifconfig external
external: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3D48<VLAN_MTU,POLLING>
        inet a.b.c.22 netmask 0xfffffffc broadcast a.b.c.23
        ether 00:02:b3:4c:83:6e
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

~> grep -v '^#' /etc/pf.conf | grep mynet
table <mynet> { 192.168.0.0/16, 172.16.0.0/16 }
       =20
~> sudo pfctl -s a | less
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
nat on external inet from <mynet> to ! <mynet> -> a.b.d.240/28 bitmask
rdr on external inet proto tcp from any to a.b.e.1 port =3D ftp -> 192.168.=
0.2 port 21
rdr on external inet proto udp from any to a.b.e.1 port =3D 4127 -> 192.168=
.0.2 port 4127
rdr on external inet proto tcp from any to a.b.e.1 port =3D 4899 -> 192.168=
.0.2 port 4899
rdr on external inet proto tcp from any to a.b.c.22 port =3D 4022 -> 172.16=
.56.57 port 22

FILTER RULES:
pass in all
pass out all
pass out quick on external inet from a.b.c.20/30 to any
pass out quick on external inet from a.b.d.224/27 to any
pass out quick on external inet from a.b.e.0/24 to any
block drop out on external all

STATES:
#a lot of states

INFO:
Status: Enabled for 0 days 11:06:40           Debug: Urgent

Hostid: 0x2055eb8b

State Table                          Total             Rate
  current entries                     4182
  searches                       250779576         6269.5/s
  inserts                          1877065           46.9/s
  removals                         1872883           46.8/s
Counters
  match                          165990128         4149.8/s
  bad-offset                             0            0.0/s
  fragment                              15            0.0/s
  short                                  2            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                           4550            0.1/s
  proto-cksum                            0            0.0/s
  state-mismatch                      6233            0.2/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

TIMEOUTS:
tcp.first                    30s
tcp.opening                   5s
tcp.established           18000s
tcp.closing                  60s
tcp.finwait                  30s
tcp.closed                   30s
tcp.tsdiff                   10s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                          5s
interval                      2s
adaptive.start                0 states
adaptive.end                  0 states
src.track                     0s

LIMITS:
states     hard limit  50000
src-nodes  hard limit  30000
frags      hard limit  50000

TABLES:
mynet

OS FINGERPRINTS:
348 fingerprints loaded


Here I try to catch packets on external interface:

~> sudo tcpdump -ni external src net 192.168.0.0/16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on external, link-type EN10MB (Ethernet), capture size 96 bytes
12:59:44.401906 IP 192.168.56.152.1090 > 64.12.31.180.5190: . ack 152898890=
3 win 0
12:59:44.401921 IP 192.168.12.43.60481 > 81.19.88.11.80: . ack 2815867423 w=
in 0
12:59:44.401933 IP 192.168.46.101.1650 > 81.176.76.116.80: . ack 669974985 =
win 0
12:59:44.401946 IP 192.168.54.12.2124 > 194.145.212.35.80: . ack 2208596276=
 win 0
12:59:44.401958 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1166126606 =
win 0
12:59:44.401971 IP 192.168.46.101.1652 > 81.19.80.2.80: . ack 1004425830 wi=
n 0
12:59:44.401983 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1120457487=
 win 0
12:59:44.401995 IP 192.168.54.71.1578 > 87.248.217.79.80: . ack 2473371997 =
win 0
12:59:44.402022 IP 192.168.38.49.4183 > 65.54.195.188.80: . ack 964472648 w=
in 0
12:59:44.402041 IP 192.168.42.90.60363 > 66.249.93.91.80: . ack 2862783680 =
win 0
12:59:44.402055 IP 192.168.46.46.58867 > 89.188.102.70.80: . ack 2523375288=
 win 0
12:59:44.402075 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 0 win 0
12:59:44.402087 IP 192.168.60.38.2050 > 66.235.180.76.8080: . ack 244354302=
3 win 0
12:59:49.400160 IP 192.168.42.124.1313 > 81.222.128.13.80: . ack 1468803329=
 win 0
12:59:49.400176 IP 192.168.42.124.1312 > 81.222.128.13.80: . ack 1482657113=
 win 0
12:59:49.400190 IP 192.168.42.124.1314 > 81.19.80.2.80: . ack 1518361964 wi=
n 0
12:59:49.400202 IP 192.168.42.124.1315 > 217.16.26.60.80: . ack 2295931572 =
win 0
12:59:49.400218 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1 win 0
12:59:49.400229 IP 192.168.42.124.1311 > 81.222.128.13.80: . ack 1477893358=
 win 0
12:59:49.400242 IP 192.168.42.60.61035 > 203.75.40.14.21: . ack 2868867767 =
win 0
12:59:49.400255 IP 192.168.42.124.1309 > 194.67.23.108.80: . ack 2813951723=
 win 0
12:59:49.400269 IP 192.168.38.16.1311 > 88.85.78.58.80: . ack 3157990844 wi=
n 0
12:59:49.400281 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1 win 0
12:59:49.400318 IP 192.168.11.118.2487 > 213.180.214.31.80: . ack 0 win 0
12:59:49.400331 IP 192.168.52.33.64997 > 193.192.41.2.80: . ack 69990011 wi=
n 0
12:59:49.400352 IP 192.168.24.16.1047 > 64.12.31.144.5190: . ack 2248286157=
 win 0
12:59:49.400371 IP 192.168.60.38.2057 > 66.235.180.76.8080: . ack 245816057=
0 win 0
12:59:49.400383 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 1 win 0
^C
28 packets captured
45864 packets received by filter
0 packets dropped by kernel

Why these packets weren't translated by pf nat rules or filtered by pf
block rule?

Note they appear once in five seconds. Tried to modify frag parameter,
but this didn't help. Also I noticed they all have ACK bit set.

Thank you.
 =20

--=20
                         mailto:adler@smtp.ru

------------11239FB1396C331
Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: 2.6

iQEVAwUARpXv9s3W5eUnRI4pAQF49Qf/ZSdEL+Mbjeva93ej1rasuvcR0+QLgpMQ
AY/606swDgqOvQ/c8p7wypEUuMxs0MLou96cSShmP4oG7NlvOrVvl2bwdkr/JXif
HLyDyQdYPYSXMgFspU/m6jnS+lFM7RHUooE0Q+PoTQL2+eUSfZZQrHW+CuLdb+PS
8ejAuYN557mX3w5PgwjKjf5OEedsaClBQrOU34l9bqMMKy7Xg2ed79zL0sRczkrx
w7ML6uJo4h5u1yAT9mfAwJvX81UID4vZUxPBMEZSufx8mTjHgdqEU9Qj0efih1Dd
ZXOinQOuJvtskqO33HrslIjN36P/YvUl7Ob50hp5/FArp6cjpJfgbg==
=0QFS
-----END PGP MESSAGE-----

------------11239FB1396C331--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?241432407.20070712131014>