From owner-freebsd-stable@FreeBSD.ORG Sun Jul 15 11:33:37 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1F9B916A401 for ; Sun, 15 Jul 2007 11:33:37 +0000 (UTC) (envelope-from adler@smtp.ru) Received: from smtp1.pochta.ru (smtp1.pochta.ru [81.211.64.6]) by mx1.freebsd.org (Postfix) with ESMTP id A7CD213C494 for ; Sun, 15 Jul 2007 11:33:36 +0000 (UTC) (envelope-from adler@smtp.ru) Received: from [77.243.97.74] (helo=suntechnic.mshome.net) by smtp.pochta.ru ( sendmail 8.13.3/8.13.1) with esmtpa id 1IA2M1-000BDz-LB for freebsd-stable@freebsd.org; Sun, 15 Jul 2007 15:33:33 +0400 Date: Sun, 15 Jul 2007 15:33:29 +0400 From: Alexey Sopov X-Mailer: The Bat! (v3.5) Professional X-Priority: 3 (Normal) Message-ID: <687021049.20070715153329@smtp.ru> To: freebsd-stable@freebsd.org In-Reply-To: <241432407.20070712131014@smtp.ru> References: <241432407.20070712131014@smtp.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: Seems like pf skips some packets. X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: adler List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jul 2007 11:33:37 -0000 Fresh news. I've noticed all unblocked packets have tcp window suggestion set to 0 (zero). I tried to block these packets on external interface: ~>sudo ipfw add 10 deny log tcp from 192.168.0.0/16 to any via external out tcpwin 0 This rule is the first rule in ipfw. Then I looked for such packets and I found them :( ~>sudo tcpdump -ni external src net 192.168.0.0/16 15:17:57.603899 IP 192.168.38.36.4649 > 88.212.196.77.80: . ack 727205372 win 0 15:17:57.603960 IP 192.168.54.106.3388 > 217.65.2.62.80: . ack 0 win 0 15:17:57.603974 IP 192.168.38.36.4647 > 87.250.251.11.80: . ack 1795114833 win 0 15:17:57.603987 IP 192.168.32.96.2263 > 205.188.1.136.5190: . ack 1459514474 win 0 15:17:57.604015 IP 192.168.24.92.4049 > 194.186.121.81.80: . ack 1712730130 win 0 15:17:57.604028 IP 192.168.56.100.2934 > 194.67.23.206.80: . ack 0 win 0 15:17:57.604041 IP 192.168.48.33.3314 > 81.19.66.19.80: . ack 1697432479 win 0 15:17:57.604053 IP 192.168.24.92.4040 > 194.186.121.82.80: . ack 1951624102 win 0 15:17:57.604066 IP 192.168.16.35.2298 > 69.147.108.254.443: . ack 3953269109 win 0 15:17:57.604078 IP 192.168.11.143.60431 > 194.186.121.77.80: . ack 4068897542 win 0 15:17:57.604092 IP 192.168.9.18.60492 > 64.12.31.176.5190: . ack 3864640183 win 0 15:17:57.604104 IP 192.168.24.18.60660 > 81.222.128.13.80: . ack 456936114 win 0 15:17:57.604117 IP 192.168.24.18.60659 > 81.222.128.13.80: . ack 457633387 win 0 15:17:57.604129 IP 192.168.48.33.3316 > 88.212.196.77.80: . ack 3294547611 win 0 15:17:57.604142 IP 192.168.48.33.3317 > 88.212.196.77.80: . ack 407383482 win 0 15:17:57.604155 IP 192.168.38.36.4645 > 194.67.45.129.80: . ack 450309387 win 0 15:17:57.604167 IP 192.168.48.33.3318 > 194.67.45.98.80: . ack 2013143653 win 0 15:17:57.604180 IP 192.168.50.44.34589 > 213.155.151.142.80: . ack 1954703640 win 0 15:17:57.604191 IP 192.168.42.85.4027 > 216.178.38.78.80: . ack 1861099043 win 0 And I looked into security log to see whether they are simmilar (lines prefixed with space are common): ~>sudo less /var/log/security Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2290 216.109.127.6:443 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.52.20:1636 81.177.16.60:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.9.17:3403 217.106.230.137:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.48.33:3318 194.67.45.98:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.42.85:4027 216.178.38.78:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.56.169:1801 194.67.23.108:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2298 69.147.108.254:443 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.38.36:4649 88.212.196.77:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.42.85:4027 216.178.38.78:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.38.36:4647 87.250.251.11:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2298 69.147.108.254:443 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.92:4049 194.186.121.81:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.92:4040 194.186.121.82:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.38.36:4645 194.67.45.129:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.18:60660 81.222.128.13:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.24.18:60659 81.222.128.13:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2083 194.67.23.109:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.56.73:1075 85.112.114.78:22273 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.56.73:1078 85.112.114.77:22273 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2283 194.67.23.109:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2272 194.67.23.109:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.22.103:1054 216.195.54.170:80 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2299 217.146.179.200:443 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.16.35:2299 217.146.179.200:443 out via external Jul 15 15:17:57 intel kernel: ipfw: 10 Deny TCP 192.168.42.85:4069 193.108.95.55:80 out via external I have two questioins now: 1. Why there are denied outgoing packets on external interface? 2. Why ipfw skips some tcp packets with (tcpwin 0) and I see them only with tcpdump? -- mailto:adler@smtp.ru