Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 02 Dec 2008 11:39:25 -0500
From:      FreeBSD <freebsd@optiksecurite.com>
To:        freebsd-pf@freebsd.org
Subject:   BAD state using PF
Message-ID:  <493564BD.9020100@optiksecurite.com>
next in thread | raw e-mail | index | archive | help 
Hi everyone,

I know this has been discussed earlier, but I'm not sure that the 
ephemeral port reuse is really my problem and if it is, I not sure what 
to do.

There is my situation: I'm running FreeBSD 7.0-REL on a server running a 
jail to isolate MySQL. The jail is bind to 127.0.0.40 and I use RDR in 
pf.conf to redirect the traffic directed to port 3306 in the jail. This 
works great excepted that I got random "Can't connect to MySQL" when 
another jail (127.0.0.20) or when another server tries to connect to 
MySQL. I noticed that the State Mismatch counter of pfctl -vsi is 
increasing, so I enabled misc debugging (pfctl -xm). There is a snip of 
what I got in /var/log/messages:

Dec  2 10:58:35 martin kernel: pf: BAD state: TCP 127.0.0.20:63485 
127.0.0.20:63485 127.0.0.40:3306 [lo=3309233133 high=3309304807 win=8960 
modulator=2304227691 wscale=3] [lo=1318579582 high=1318651262 win=8960 
modulator=4106 wscale=3] 9:9 S seq=3346121963 (3346121963) 
ack=1318579582 len=0 ackskew=0 pkts=53:55 dir=out,fwd
Dec  2 10:58:35 martin kernel: pf: BAD state: TCP 127.0.0.20:63485 
127.0.0.20:63485 127.0.0.40:3306 [lo=3309233133 high=3309304807 win=8960 
modulator=2304227691 wscale=3] [lo=1318579582 high=1318651262 win=8960 
modulator=4106 wscale=3] 9:9 F seq=3346121964 (3346121964)
Dec  2 11:17:59 martin kernel: pf: BAD state: TCP 127.0.0.20:62768 
127.0.0.20:62768 127.0.0.40:3306 [lo=386778332 high=386850006 win=8960 
modulator=2910169605 wscale=3] [lo=3296964218 high=3297035897 win=8960 
modulator=4201 wscale=3] 9:9 S seq=452986485 (452986485) ack=3296964218 
len=0 ackskew=0 pkts=18:16 dir=out,fwd
Dec  2 11:17:59 martin kernel: pf: BAD state: TCP 127.0.0.20:62768 
127.0.0.20:62768 127.0.0.40:3306 [lo=386778332 high=386850006 win=8960 
modulator=2910169605 wscale=3] [lo=3296964218 high=3297035897 win=8960 
modulator=4201 wscale=3] 9:9 F seq=452986486 (452986486) ack=3296964218 
len=0 ackskew=0 pkts=18:16 dir=out,fwd

So my question is how can I be sure that the problem is due to the port 
reuse? If so, what am I supposed to do to deal with this? Would the best 
solution be to decrease the tcp.closed timeout?

Thanks everyone for your help!

Martin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?493564BD.9020100>