From owner-freebsd-pf@FreeBSD.ORG Wed Sep 20 09:06:59 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3A0C16A494 for ; Wed, 20 Sep 2006 09:06:58 +0000 (UTC) (envelope-from ask@develooper.com) Received: from x8.develooper.com (x8.develooper.com [216.52.237.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB3AD43DFF for ; Wed, 20 Sep 2006 09:06:23 +0000 (GMT) (envelope-from ask@develooper.com) Received: (qmail 3231 invoked from network); 20 Sep 2006 09:06:14 -0000 Received: from gw.develooper.com (HELO ?10.0.201.101?) (ask@cleverpeople.org@64.81.84.140) by smtp.develooper.com with (RC4-SHA encrypted) SMTP; 20 Sep 2006 09:06:14 -0000 Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: <596996E2-D643-4D66-ADE3-36099FF2BDD6@develooper.com> References: <596996E2-D643-4D66-ADE3-36099FF2BDD6@develooper.com> Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <6A101730-00DA-4E6A-A6A3-006B8C89ED54@develooper.com> Content-Transfer-Encoding: quoted-printable From: =?ISO-8859-1?Q?Ask_Bj=F8rn_Hansen?= Date: Wed, 20 Sep 2006 02:06:04 -0700 To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.752.2) Subject: Re: bad ruleset - pf not keeping state for some bridged connections? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 09:06:59 -0000 On Sep 6, 2006, at 20:17, Ask Bj=F8rn Hansen wrote: Sorry about replying to my own mail, I figured I should include a bit =20= more debug information. This is from the Fedora box (64.81.32.148) (behind the freebsd/pf =20 bridge/firewall). It looks like the Fedora box is closing the =20 connection after a couple of packets? (The "F" flag is "FIN", right?) 08:48:23.879289 IP 67.15.155.11.32864 > 64.81.32.148.3309: S =20 3300493391:3300493391(0) win 5840 08:48:23.879535 IP 64.81.32.148.3309 > 67.15.155.11.32864: S =20 516984971:516984971(0) ack 3300493392 win 5792 08:48:23.918926 IP 67.15.155.11.32864 > 64.81.32.148.3309: . ack 1 =20 win 1460 08:48:23.925702 IP 64.81.32.148.3309 > 67.15.155.11.32864: P 1:71(70) =20= ack 1 win 46 08:48:23.965967 IP 67.15.155.11.32864 > 64.81.32.148.3309: . ack 71 =20 win 1460 08:48:28.931214 IP 64.81.32.148.3309 > 67.15.155.11.32864: F 71:71(0) =20= ack 1 win 46 08:48:29.175137 IP 64.81.32.148.3309 > 67.15.155.11.32864: F 71:71(0) =20= ack 1 win 46 08:48:29.214854 IP 67.15.155.11.32864 > 64.81.32.148.3309: . ack 72 =20 win 1460 08:48:31.441388 IP 67.15.155.11.32864 > 64.81.32.148.3309: FP 1:66=20 (65) ack 72 win 1460 08:48:31.441625 IP 64.81.32.148.3309 > 67.15.155.11.32864: R =20 516985043:516985043(0) win 0 On the internal interface on the FreeBSD box I get line for line =20 *exactly* the same, except for the timestamps (no surprise). On the external interface (the one facing the internet and the =20 connecting box) it was (not the same connection attempt, so the =20 timestamp is a few minutes off): 08:52:17.642804 IP 67.15.155.11.32877 > 64.81.32.148.3309: S =20 3564356178:3564356178(0) win 5840 08:52:17.644035 IP 64.81.32.148.3309 > 67.15.155.11.32877: S =20 764788140:764788140(0) ack 3564356179 win 5792 08:52:17.682937 IP 67.15.155.11.32877 > 64.81.32.148.3309: . ack 1 =20 win 1460 08:52:17.684160 IP 64.81.32.148.3309 > 67.15.155.11.32877: P 1:71(70) =20= ack 1 win 46 08:52:17.724350 IP 67.15.155.11.32877 > 64.81.32.148.3309: . ack 71 =20 win 1460 08:52:17.729743 IP 67.15.155.11.32877 > 64.81.32.148.3309: P 1:66(65) =20= ack 71 win 1460 08:52:17.968325 IP 67.15.155.11.32877 > 64.81.32.148.3309: P 1:66(65) =20= ack 71 win 1460 08:52:18.448706 IP 67.15.155.11.32877 > 64.81.32.148.3309: P 1:66(65) =20= ack 71 win 1460 08:52:19.408590 IP 67.15.155.11.32877 > 64.81.32.148.3309: P 1:66(65) =20= ack 71 win 1460 08:52:21.328413 IP 67.15.155.11.32877 > 64.81.32.148.3309: P 1:66(65) =20= ack 71 win 1460 08:52:22.690688 IP 64.81.32.148.3309 > 67.15.155.11.32877: F 71:71(0) =20= ack 1 win 46 08:52:22.729772 IP 67.15.155.11.32877 > 64.81.32.148.3309: F 66:66(0) =20= ack 72 win 1460 08:52:22.937111 IP 64.81.32.148.3309 > 67.15.155.11.32877: F 71:71(0) =20= ack 1 win 46 08:52:22.975678 IP 67.15.155.11.32877 > 64.81.32.148.3309: . ack 72 =20 win 1460 08:52:25.167728 IP 67.15.155.11.32877 > 64.81.32.148.3309: FP 1:66=20 (65) ack 72 win 1460 08:52:25.168725 IP 64.81.32.148.3309 > 67.15.155.11.32877: R =20 764788212:764788212(0) win 0 Does this help anyone enough to be able to give me some hints? - ask --=20 http://askask.com/ - http://develooper.com/