Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 24 Jan 2008 10:50:27 -0800
From:      Jeremy Chadwick <koitsu@FreeBSD.org>
To:        Tommy Pham <tommyhp2@yahoo.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: RELENG_6 and blocked packes with state-mismatch
Message-ID:  <20080124185027.GA9600@eos.sc1.parodius.com>
In-Reply-To: <698416.69586.qm@web38215.mail.mud.yahoo.com>
References:  <20080123084905.GA11909@eos.sc1.parodius.com> <698416.69586.qm@web38215.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Jan 24, 2008 at 10:35:07AM -0800, Tommy Pham wrote:
> Are your serves (web, mail, etc.) inside a LAN or DMZ behind the pf
> box? If so, you're missing NAT and rdr rules.  It may help if you can
> make a network layout of your setup like
> 
> Internet <---> router/firewall (FreeBSD pf box) <---> LAN
>                        ^
>                        |
>                        |
>                       DMZ

Good question -- nope, no NAT is being used.  The machine which is doing
the pf filtering is directly on the Internet.  It does not act as a
gateway for other machines on our LAN.  I thought this was implied by
the state-mismatch logs I was showing, re: public Internet-facing IPs,
but I guess not.  :-)

The physical wiring is literally this:

Internet <--> ISP CAT5e <--> HP ProCurve 2626 switch <--> FreeBSD boxes

The routing setup is simple: our co-lo provider handles the routing for
us.  We're given an IP (on their Cisco router) which acts as a gateway
IP for our network block (72.20.106.0/25).  There's no NAT or filtering
going on upstream -- this is a co-location facility.

Is it possible the state-mismatch logs shown are the result of a broken
IP stack on the visitors' machines (e.g. 71.62.42.150 and
75.136.198.15), and pf is filtering it because the TCP state is truly
out-of-order or incorrect?

I haven't been able to find docs on what all of the counter descriptions
actually represent (e.g. state-mismatch, congestion, normalise,
bad-offset, ip-option, etc.); some are obvious, while others are not.

-- 
| Jeremy Chadwick                                    jdc at parodius.com |
| Parodius Networking                           http://www.parodius.com/ |
| UNIX Systems Administrator                      Mountain View, CA, USA |
| Making life hard for others since 1977.                  PGP: 4BD6C0CB |

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080124185027.GA9600>