Site Navigation

Date:      Sun, 15 Jul 2007 15:33:29 +0400
From:      Alexey Sopov <adler@smtp.ru>
To:        freebsd-stable@freebsd.org
Subject:   Re: Seems like pf skips some packets.
Message-ID:  <687021049.20070715153329@smtp.ru>
In-Reply-To: <241432407.20070712131014@smtp.ru>
References:  <241432407.20070712131014@smtp.ru>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Fresh news.

I've noticed all unblocked packets have tcp window suggestion set to 0
(zero). I tried to block these packets on external interface:
~>sudo ipfw add 10 deny log tcp from 192.168.0.0/16 to any via external out tcpwin 0
This rule is the first rule in ipfw.

Then I looked for such packets and I found them :(
~>sudo tcpdump -ni external src net 192.168.0.0/16
 15:17:57.603899 IP 192.168.38.36.4649 > 88.212.196.77.80: . ack 727205372 win 0
15:17:57.603960 IP 192.168.54.106.3388 > 217.65.2.62.80: . ack 0 win 0
 15:17:57.603974 IP 192.168.38.36.4647 > 87.250.251.11.80: . ack 1795114833 win 0
15:17:57.603987 IP 192.168.32.96.2263 > 205.188.1.136.5190: . ack 1459514474 win 0
 15:17:57.604015 IP 192.168.24.92.4049 > 194.186.121.81.80: . ack 1712730130 win 0
15:17:57.604028 IP 192.168.56.100.2934 > 194.67.23.206.80: . ack 0 win 0
15:17:57.604041 IP 192.168.48.33.3314 > 81.19.66.19.80: . ack 1697432479 win 0
 15:17:57.604053 IP 192.168.24.92.4040 > 194.186.121.82.80: . ack 1951624102 win 0
15:17:57.604066 IP 192.168.16.35.2298 > 69.147.108.254.443: . ack 3953269109 win 0
15:17:57.604078 IP 192.168.11.143.60431 > 194.186.121.77.80: . ack 4068897542 win 0
15:17:57.604092 IP 192.168.9.18.60492 > 64.12.31.176.5190: . ack 3864640183 win 0
 15:17:57.604104 IP 192.168.24.18.60660 > 81.222.128.13.80: . ack 456936114 win 0
 15:17:57.604117 IP 192.168.24.18.60659 > 81.222.128.13.80: . ack 457633387 win 0
15:17:57.604129 IP 192.168.48.33.3316 > 88.212.196.77.80: . ack 3294547611 win 0
15:17:57.604142 IP 192.168.48.33.3317 > 88.212.196.77.80: . ack 407383482 win 0
15:17:57.604155 IP 192.168.38.36.4645 > 194.67.45.129.80: . ack 450309387 win 0
15:17:57.604167 IP 192.168.48.33.3318 > 194.67.45.98.80: . ack 2013143653 win 0
15:17:57.604180 IP 192.168.50.44.34589 > 213.155.151.142.80: . ack 1954703640 win 0
15:17:57.604191 IP 192.168.42.85.4027 > 216.178.38.78.80: . ack 1861099043 win 0

And I looked into security log to see whether they are simmilar (lines
prefixed with space are common):
~>sudo less /var/log/security
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2290 216.109.127.6:443 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.52.20:1636 81.177.16.60:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.9.17:3403 217.106.230.137:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.48.33:3318 194.67.45.98:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.42.85:4027 216.178.38.78:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.56.169:1801 194.67.23.108:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2298 69.147.108.254:443 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.38.36:4649 88.212.196.77:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.42.85:4027 216.178.38.78:80 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.38.36:4647 87.250.251.11:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2298 69.147.108.254:443 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.92:4049 194.186.121.81:80 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.92:4040 194.186.121.82:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.38.36:4645 194.67.45.129:80 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.18:60660 81.222.128.13:80 out via external
 Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.18:60659 81.222.128.13:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2083 194.67.23.109:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.56.73:1075 85.112.114.78:22273 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.56.73:1078 85.112.114.77:22273 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2283 194.67.23.109:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2272 194.67.23.109:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.22.103:1054 216.195.54.170:80 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2299 217.146.179.200:443 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2299 217.146.179.200:443 out via external
Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.42.85:4069 193.108.95.55:80 out via external

I have two questioins now:
1. Why there are denied outgoing packets on external interface?
2. Why ipfw skips some tcp packets with (tcpwin 0) and I see them only
with tcpdump?

-- 
                            mailto:adler@smtp.ru

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?687021049.20070715153329>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact