Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 12 Nov 2006 00:24:25 +0100
From:      Daniel Hartmeier <daniel@benzedrine.cx>
To:        Kimi Ostro <kimimeister@gmail.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Having a couple of issues
Message-ID:  <20061111232425.GO6819@insomnia.benzedrine.cx>
In-Reply-To: <42b497160611111504q3a287bf9qa439e62deac62c36@mail.gmail.com>
References:  <42b497160611111207t2e168afdnba91607fd66371d2@mail.gmail.com> <200611112329.43326.max@love2party.net> <42b497160611111504q3a287bf9qa439e62deac62c36@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Nov 11, 2006 at 11:04:25PM +0000, Kimi Ostro wrote:

> All of those messages "State failure on:" messages are like this:
> 
> Nov 10 15:40:24 ehost kernel: pf: State failure on:         |
> 
> which doesn't help I guess?
> 
> more here:
> 
> Nov 10 15:40:24 ehost kernel: pf: BAD state: TCP IiP.IiP.IiP.8:54188
> XiP.XiP.XiP.199:56092 66.35.250.150:80 [lo=3278961269 high=3278967062
> win=32768 modulator=2503785894 wscale=1] [lo=164575658 high=164641194
> win=5792 modulator=2389911175 wscale=2] 4:2 R seq=3278961269
> ack=164575658 len=0 ackskew=0 pkts=1:4 dir=out,fwd
> Nov 10 15:40:24 ehost kernel: pf: State failure on:         |

These are caused by on off-by-one in pf's state tracking for one special
case: when an RST is sent during the handshake (i.e. SYN, SYN+ACK, RST),
pf compares the sequence number in the RST exactly, and is off by one,
blocking the RST.

This is recognizable by the strange "State failure on:" line with no
digits (the digit(s) indicate the reason why the state match failed, in
this specific case, and this case only, there is no digit printed).

It was recently fixed in OpenBSD, IIRC post-4.0. The fix is easy to
port. But I have to wonder why this shows up repeatedly just now.

Who are those clients aborting their handshake with RST, and why are
they doing it? If the RST is properly passed, it's not like you end up
with a working connection, it's aborted. And if they don't intend to
complete the handshake, why start it? Some silly form of port scanning?
WTF? :)

Daniel

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061111232425.GO6819>