From owner-freebsd-pf@FreeBSD.ORG Tue Jan 27 08:17:45 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BD080206 for ; Tue, 27 Jan 2015 08:17:45 +0000 (UTC) Received: from mail14.tpgi.com.au (mail14.tpgi.com.au [203.12.160.182]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.tpg.com.au", Issuer "RapidSSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 492FF16E for ; Tue, 27 Jan 2015 08:17:45 +0000 (UTC) X-TPG-Junk-Status: Message not scanned X-TPG-Antivirus: Passed X-TPG-Abuse: host=[202.161.115.54]; ip=202.161.115.54; date=Tue, 27 Jan 2015 19:17:42 +1100 Received: from fish.ish.com.au (202-161-115-54.static.tpgi.com.au [202.161.115.54] (may be forged)) by mail14.tpgi.com.au (envelope-from ari@ish.com.au) (8.14.3/8.14.3) with ESMTP id t0R8Heb4025331 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 27 Jan 2015 19:17:42 +1100 Received: from ip-211.ish.com.au ([203.29.62.211]:29253 helo=ish.com.au) by fish.ish.com.au with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1YG1L5-00085P-0p; Tue, 27 Jan 2015 19:17:36 +1100 Received: from [203.29.62.182] (HELO Aristedess-MacBook-Pro.local) by ish.com.au (CommuniGate Pro SMTP 6.1c1) with ESMTPS id 17972985; Tue, 27 Jan 2015 19:17:35 +1100 Message-ID: <54C7499E.6090805@ish.com.au> Date: Tue, 27 Jan 2015 19:17:34 +1100 From: Aristedes Maniatis User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Thunderbird/34.0 MIME-Version: 1.0 To: Dimitry Andric Subject: Re: meaning of State-mismatch References: <54C72F63.8040908@ish.com.au> <54C74303.1070601@ish.com.au> <8A242C55-A2D7-49C2-A0CC-AFB1E447C494@FreeBSD.org> In-Reply-To: <8A242C55-A2D7-49C2-A0CC-AFB1E447C494@FreeBSD.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 08:17:45 -0000 On 27/01/2015 7:07pm, Dimitry Andric wrote: > On 27 Jan 2015, at 08:49, Aristedes Maniatis wrote: >> >> On 27/01/2015 6:46pm, Dimitry Andric wrote: >>> On 27 Jan 2015, at 07:25, Aristedes Maniatis wrote: >>>> >>>> I have been unable to find much documentation about the counter called "state-mismatch". I notice it going up on my firewall (FreeBSD 10.1) but only at a slow rate (maybe at around 1 per minute). >>>> >>>> What is the significance of this value? Is it indicative of dropped states (and I should be increasing the state timeout)? >>> >>> It's not really documented in our pfctl(8) manpage, but the OpenBSD version does >>> mention it: >>> >>> state-mismatch >>> packet was associated with a state entry, but sequence numbers did not >>> match >>> >>> So maybe something is dropping packets, making holes in the sequence numbers? Or >>> maybe somebody is trying something sneaky? :) >>> >>> -Dimitry >> >> Ah, thanks for that. Maybe you could add that doc to the FreeBSD man page. Could it simply be a packet loss issue where a packet is lost and the next packet arrives out of order? > > Well, that is just a likely cause. If you let tcpdump run for a while, > you might be able to spot it, in e.g. Wireshark? > > -Dimitry > If I attach tcpdump to pflog0 is there an easy way to filter for just these events? I assume there is nothing like "block in log flags state-mismatch" to trap these packets? If I knew which IP and port they were going to, I'd have a better idea of where to look. Ari -- --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A