From owner-freebsd-pf@FreeBSD.ORG Wed Aug 2 14:21:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30D7016A4E2 for ; Wed, 2 Aug 2006 14:21:34 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9075443D53 for ; Wed, 2 Aug 2006 14:21:31 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id D0BBDB81E; Wed, 2 Aug 2006 16:21:29 +0200 (CEST) Date: Wed, 2 Aug 2006 16:21:29 +0200 From: Frank Steinborn To: Max Laier Mail-Followup-To: Max Laier , freebsd-pf@freebsd.org References: <20060801142925.54F5CB828@shodan.nognu.de> <200608011905.55505.max@love2party.net> <20060801172045.5ED63B81E@shodan.nognu.de> <200608021601.49038.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200608021601.49038.max@love2party.net> User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060802142129.D0BBDB81E@shodan.nognu.de> Cc: freebsd-pf@freebsd.org Subject: Re: I'm getting sick - Problems filtering IPv6. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Aug 2006 14:21:34 -0000 Max Laier wrote: > > > > Hello Max, > > > > a state is created, yes: > > > > self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[62810] > > SYN_SENT:ESTABLISHED > > [342525613 + 65536](+2469478632) wscale 1 [3355548528 + > > 65537](+82545723) wscale 1 > > [1845438366 + 4880](+1776883750) [3423429433 + 65535](+3331864375) > > age 00:37:53, expires in 00:00:59, 2204:15980 pkts, 107106:2269450 > > bytes > > age 01:22:57, expires in 00:01:00, 5472:42944 pkts, 324485:6199453 > > bytes > > age 02:00:22, expires in 00:00:59, 11249:53620 pkts, 967458:7637333 > > bytes > > > > > > Strange thing :-( > > Indeed, and far from what I expected to see. These states exist for a long > time and have seen lots of packets in both directions. Are you sure you > copied the right counters for that state? Can you please enable extended > logging with "pfctl -x misc" and report any related messages from console. > Also, please recheck pfctl -vss for the right state counters. I do get this > right, the "telnet 2001:1638:17ad::3 53" stalled right away? You are correct, I probably tried to many telnets so that states are left. I did it again, and here is the state from the telnet: self tcp 2001:1638:17ad::3[53] <- 2001:1638:17ad::3[59655] SYN_SENT:ESTABLISHED [2728554970 + 65536](+2360520929) wscale 1 [1947983223 + 65537](+3290820275) wscale 1 age 00:00:02, expires in 00:00:28, 1:1 pkts, 84:84 bytes, rule 45 There is nothing logged on the console due to pfctl -x misc, so i tried pfctl -x loud. However, the only thing i see are some "fingerprinted 84.191.87.127:64944 8576:118:0:48:403 (4) (TS=,M=536,W=0)" (IP's vary, of course, can't find v6 however) and "osfp no match against 3400000". But i guess that's not important here. And yes, you got it right - if I "telnet 2001:1638:17ad::3 53" it just stalls and times out after some time (even when i try block-policy return). But only on the box itself where pf and named is running, other boxes can access it fine. Thanks, Frank