From owner-freebsd-pf@FreeBSD.ORG Wed Aug 2 14:07:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F80D16A4DE for ; Wed, 2 Aug 2006 14:07:41 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2776643D79 for ; Wed, 2 Aug 2006 14:07:39 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.177.237] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1G8HIF13cH-0003W0; Wed, 02 Aug 2006 16:01:51 +0200 From: Max Laier Organization: FreeBSD To: Frank Steinborn Date: Wed, 2 Aug 2006 16:01:42 +0200 User-Agent: KMail/1.9.3 References: <20060801142925.54F5CB828@shodan.nognu.de> <200608011905.55505.max@love2party.net> <20060801172045.5ED63B81E@shodan.nognu.de> In-Reply-To: <20060801172045.5ED63B81E@shodan.nognu.de> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1608172.dqaTIbRbDV"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608021601.49038.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Aug 2006 14:07:41 -0000 --nextPart1608172.dqaTIbRbDV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 01 August 2006 19:20, Frank Steinborn wrote: > Max Laier wrote: > > On Tuesday 01 August 2006 16:29, Frank Steinborn wrote: > > > That's it. It's not possible, and i'm really frustrated for days now. > > > What is actually borked here? Let's have a look on the pflog0, what's > > > dropping: > > > > > > 15:26:35.983709 rule 1/0(match): block in on gif0: > > > 2001:1638:17ad::3.53 > 2001:1638:17ad::3.59761: tcp 40 [bad hdr > > > length 4 - too short, < 20] > > > > > > Hmm. Bad hdr lenght? What's up here? If i change the rule > > > > This really just is an artefact from a too short snaplen. Use -s 1500 > > and you get rid of it. > > > > The strange thing, however, is that this is the reply *from* port 53. = So > > this means the initial SYN got through alright. Can you check if a sta= te > > has been created (pfctl -vss) for that connection, please. I suspect > > that it has and the problem would be that the reply doesn't match the > > state - for what ever reason. Please check if there is a state and let > > me know - thanks. > > Hello Max, > > a state is created, yes: > > self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[62810] > SYN_SENT:ESTABLISHED > [342525613 + 65536](+2469478632) wscale 1 [3355548528 + > 65537](+82545723) wscale 1 > [1845438366 + 4880](+1776883750) [3423429433 + 65535](+3331864375) > age 00:37:53, expires in 00:00:59, 2204:15980 pkts, 107106:2269450 > bytes > age 01:22:57, expires in 00:01:00, 5472:42944 pkts, 324485:6199453 > bytes > age 02:00:22, expires in 00:00:59, 11249:53620 pkts, 967458:7637333 > bytes > > > Strange thing :-( Indeed, and far from what I expected to see. These states exist for a long= =20 time and have seen lots of packets in both directions. Are you sure you=20 copied the right counters for that state? Can you please enable extended=20 logging with "pfctl -x misc" and report any related messages from console. = =20 Also, please recheck pfctl -vss for the right state counters. I do get thi= s=20 right, the "telnet 2001:1638:17ad::3 53" stalled right away? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1608172.dqaTIbRbDV Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQBE0LBNXyyEoT62BG0RAnXOAJ91YKj5tdX9sjThiF2zfLqq57/7SgCeJQ6l eENGizH8hmPcek+JxvULnN8= =34Bi -----END PGP SIGNATURE----- --nextPart1608172.dqaTIbRbDV--