From owner-freebsd-pf@FreeBSD.ORG Fri Aug 15 14:37:01 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B5641065679 for ; Fri, 15 Aug 2008 14:37:01 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.freebsd.org (Postfix) with ESMTP id A89D88FC19 for ; Fri, 15 Aug 2008 14:37:00 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by py-out-1112.google.com with SMTP id p76so872064pyb.10 for ; Fri, 15 Aug 2008 07:37:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=sa1mkJZ54P1ozSVJOKL2vVQ4YXEjdTPu4ud2Vq/SPp8=; b=O7t8h4b/rhZUVHAFsQxqU2ppCAgXQnOwYHmMYp0tUlJ9feCprgIQrfe3O2zJHBvLsU 2Q5+LL8JIStm2alJTobj6mzQf2uG1M3GnxfvVCeM5sWg0jZEmjMGrRHMnRuHRYqgyhVv 77L30AQH8B3Cs7H1cy1Rh9GZIZGHZRvvolwHE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=H6EuQr5Wfr1uXX8HK0G4DkLM7NeysIhpcFOtigTLaR6Y0Mc/F0LMaw0LMfyVpQzOXt fsZTkBRfxap3NKtZiqV/eQv0WLzLDH9js/t8WAr2J/J0wveBdgLJjw5hVa2j4T/wi+S4 ykfZqu3UZco9yS+QaQT2ywIe5zoKpdve1llfw= Received: by 10.114.134.20 with SMTP id h20mr2527653wad.91.1218809318731; Fri, 15 Aug 2008 07:08:38 -0700 (PDT) Received: by 10.115.32.16 with HTTP; Fri, 15 Aug 2008 07:08:38 -0700 (PDT) Message-ID: <8e10486b0808150708g200727b8sc2f4993eee9f5248@mail.gmail.com> Date: Fri, 15 Aug 2008 11:08:38 -0300 From: "Alexandre Biancalana" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: why BAD state messages X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2008 14:37:01 -0000 Hi list, I'm experiencing some problems with blocked connections because of bad states but I need some more information about why this is happening, if this is timeout between tcp handshake, or state creation or application trying to talk on closed connection. I have two FreeBSD 7-STABLE with PF, carp, pfsync and max carpdev patch and two application servers (jboss) that listen on port 9090 behind this firewalls, some connections from external clients off this appservers are (apparently random) being blocked, enabling loud (pfctl -x loud) I can see in /var/log/messages the following messages: kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 10.10.110.34:52347 [lo=3922530250 high=3922595445 win=65535 modulator=0] [lo=3059100500 high=3059158735 win=65195 modulator=0] 4:4 S seq=398900533 (398900533) ack=3059100500 len=0 ackskew=0 pkts=6:20 dir=in,fwd kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 10.10.110.34:50668 [lo=395881033 high=395946233 win=65535 modulator=0] [lo=3568232053 high=3568290288 win=65200 modulator=0] 4:4 S seq=2480335288 (2480335288) ack=3568232053 len=0 ackskew=0 pkts=6:20 dir=in,fwd kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 10.10.110.34:51582 [lo=3528357041 high=3528421509 win=65535 modulator=0] [lo=3809540772 high=3809605893 win=64468 modulator=0] 9:9 S seq=3810516558 (3810516558) ack=3809540772 len=0 ackskew=0 pkts=6:5 dir=in,fwd kernel: pf: BAD state: TCP 10.10.6.19:9090 10.10.6.19:9090 10.10.110.34:50668 [lo=395881033 high=395946233 win=65535 modulator=0] [lo=3568232053 high=3568290288 win=65200 modulator=0] 4:4 S seq=2480335288 (2480335288) ack=3568232053 len=0 ackskew=0 pkts=6:20 dir=in,fwd kernel: pf: BAD state: TCP 10.10.6.18:9090 10.10.6.18:9090 10.10.81.242:2434 [lo=538716318 high=538780855 win=65535 modulator=0] [lo=1004209856 high=1004274961 win=64537 modulator=0] 4:9 S seq=1634723484 (1634723484) ack=1004209856 len=0 ackskew=0 pkts=5:4 dir=in,fwd I tried to set custom tcp timeout options in this rules but this does not help pass log proto tcp from any to { $apphpr01 $apphpr02 } port { 9090 } keep state (tcp.opening 60, tcp.closed 180, tcp.finwait 90) Any ideas on how can I know why this connections are being blocked ?? I can provide any additional information needed. Regards, Alexandre