From owner-freebsd-pf@FreeBSD.ORG Tue Dec 2 16:38:22 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9AF111065673 for ; Tue, 2 Dec 2008 16:38:22 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id 6CD308FC0C for ; Tue, 2 Dec 2008 16:38:22 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [69.69.69.183] ([69.70.93.206]) by VL-MO-MR005.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KB900DDWCUKAX90@VL-MO-MR005.ip.videotron.ca> for freebsd-pf@freebsd.org; Tue, 02 Dec 2008 11:37:32 -0500 (EST) Message-id: <493564BD.9020100@optiksecurite.com> Date: Tue, 02 Dec 2008 11:39:25 -0500 From: FreeBSD User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) To: freebsd-pf@freebsd.org Subject: BAD state using PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 16:38:22 -0000 Hi everyone, I know this has been discussed earlier, but I'm not sure that the ephemeral port reuse is really my problem and if it is, I not sure what to do. There is my situation: I'm running FreeBSD 7.0-REL on a server running a jail to isolate MySQL. The jail is bind to 127.0.0.40 and I use RDR in pf.conf to redirect the traffic directed to port 3306 in the jail. This works great excepted that I got random "Can't connect to MySQL" when another jail (127.0.0.20) or when another server tries to connect to MySQL. I noticed that the State Mismatch counter of pfctl -vsi is increasing, so I enabled misc debugging (pfctl -xm). There is a snip of what I got in /var/log/messages: Dec 2 10:58:35 martin kernel: pf: BAD state: TCP 127.0.0.20:63485 127.0.0.20:63485 127.0.0.40:3306 [lo=3309233133 high=3309304807 win=8960 modulator=2304227691 wscale=3] [lo=1318579582 high=1318651262 win=8960 modulator=4106 wscale=3] 9:9 S seq=3346121963 (3346121963) ack=1318579582 len=0 ackskew=0 pkts=53:55 dir=out,fwd Dec 2 10:58:35 martin kernel: pf: BAD state: TCP 127.0.0.20:63485 127.0.0.20:63485 127.0.0.40:3306 [lo=3309233133 high=3309304807 win=8960 modulator=2304227691 wscale=3] [lo=1318579582 high=1318651262 win=8960 modulator=4106 wscale=3] 9:9 F seq=3346121964 (3346121964) Dec 2 11:17:59 martin kernel: pf: BAD state: TCP 127.0.0.20:62768 127.0.0.20:62768 127.0.0.40:3306 [lo=386778332 high=386850006 win=8960 modulator=2910169605 wscale=3] [lo=3296964218 high=3297035897 win=8960 modulator=4201 wscale=3] 9:9 S seq=452986485 (452986485) ack=3296964218 len=0 ackskew=0 pkts=18:16 dir=out,fwd Dec 2 11:17:59 martin kernel: pf: BAD state: TCP 127.0.0.20:62768 127.0.0.20:62768 127.0.0.40:3306 [lo=386778332 high=386850006 win=8960 modulator=2910169605 wscale=3] [lo=3296964218 high=3297035897 win=8960 modulator=4201 wscale=3] 9:9 F seq=452986486 (452986486) ack=3296964218 len=0 ackskew=0 pkts=18:16 dir=out,fwd So my question is how can I be sure that the problem is due to the port reuse? If so, what am I supposed to do to deal with this? Would the best solution be to decrease the tcp.closed timeout? Thanks everyone for your help! Martin