From owner-freebsd-pf@FreeBSD.ORG Sun Apr 15 22:39:01 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C102B16A400 for ; Sun, 15 Apr 2007 22:39:01 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.229]) by mx1.freebsd.org (Postfix) with ESMTP id 7C2B313C448 for ; Sun, 15 Apr 2007 22:39:01 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1361964wxc for ; Sun, 15 Apr 2007 15:39:00 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:from:to:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=F674s+RxgebIZD1+yhBJRXBnOj9YBNZvl/3iBEooR3yqFJaJjiBq29AzqVs0ZrTyV6ODRdMnVkev2hxmUyX5Zhns5gYp1vXA60HJYRO+KA3AEWF1St+OAxOYxD38lIe84eWAlqdyeuh2V3u74Cy22KyuV8KMIrdrTqYfjztqRnY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:from:to:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=pDouFgFCGvDPqJ6Nx62/btOMNoVTQWFJ7TrR1mbaTEcK1qNiuIcTGJrG4+87CGbbo+LTxhGH6g56HuzyKimdakSb63I7PCpQ+0s8hwJVfvrRYTCZWefwwhlmpZ9WKReP0IMnh7mMOFmxJ4r0dlkZe3Vdn6ygnS9Mb/WNsXYopX0= Received: by 10.70.117.1 with SMTP id p1mr9422718wxc.1176676740864; Sun, 15 Apr 2007 15:39:00 -0700 (PDT) Received: from d600 ( [72.73.19.2]) by mx.google.com with ESMTP id i35sm4618888wxd.2007.04.15.15.38.58; Sun, 15 Apr 2007 15:38:58 -0700 (PDT) Message-ID: <007e01c77fae$d8a3a9b0$c40a0a0a@chepkov.lan> From: "Vadym Chepkov" To: "David DeSimone" , References: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan><87648dgubi.fsf@delta.meridian-enviro.com><001f01c77e9e$b4d6ff70$050a0a0a@chepkov.lan> <20070414194108.GA31298@verio.net> Date: Sun, 15 Apr 2007 18:38:53 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Cc: Subject: Re: Scrub problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Apr 2007 22:39:01 -0000 I see server packets on server interface and on incoming pf interface none of fragments reach pf dmz interface and client. Loud shows these: Apr 15 18:35:12 gateway kernel: pf_normalize_ip: reass frag 13479 @ 0-1480 Apr 15 18:35:12 gateway kernel: pf_normalize_ip: reass frag 13479 @ 1480-2023 Apr 15 18:35:12 gateway kernel: pf_reassemble: 2023 < 2023? Apr 15 18:35:12 gateway kernel: pf_reassemble: complete: 0xc4e72d00(2043) Apr 15 18:35:22 gateway kernel: pf_normalize_ip: reass frag 13735 @ 0-1480 Apr 15 18:35:22 gateway kernel: pf_normalize_ip: reass frag 13735 @ 1480-2023 Apr 15 18:35:22 gateway kernel: pf_reassemble: 2023 < 2023? Apr 15 18:35:22 gateway kernel: pf_reassemble: complete: 0xc5305400(2043) Apr 15 18:35:32 gateway kernel: pf_normalize_ip: reass frag 13991 @ 0-1480 Apr 15 18:35:32 gateway kernel: pf_normalize_ip: reass frag 13991 @ 1480-2023 Apr 15 18:35:32 gateway kernel: pf_reassemble: 2023 < 2023? Apr 15 18:35:32 gateway kernel: pf_reassemble: complete: 0xc4f13100(2043) ----- Original Message ----- From: "David DeSimone" To: Sent: Saturday, April 14, 2007 3:41 PM Subject: Re: Scrub problem > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Vadym Chepkov wrote: >> >> The problem is with fragmented UDP packets from Amanda server >> I have the scrub directive set: >> >> scrub in all fragment reassemble >> >> pf silently (no log entries) drops last packets, because they never reach >> the client: >> >> 08:27:13.259532 00:0e:0c:c3:42:b4 > 00:30:48:43:32:c8, ethertype IPv4 >> (0x0800), length 163: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, >> length 121 >> 08:27:13.268356 00:30:48:43:32:c8 > 00:0e:0c:c3:42:b4, ethertype IPv4 >> (0x0800), length 92: 192.168.160.2.amanda > 192.168.17.2.858: UDP, length >> 50 >> 08:27:13.269021 00:30:48:43:32:c8 > 00:0e:0c:c3:42:b4, ethertype IPv4 >> (0x0800), length 129: 192.168.160.2.amanda > 192.168.17.2.858: UDP, >> length 87 >> 08:27:13.276140 00:0e:0c:c3:42:b4 > 00:30:48:43:32:c8, ethertype IPv4 >> (0x0800), length 92: 192.168.17.2.858 > 192.168.160.2.amanda: UDP, length >> 50 > > Did you notice that not neither the larger nor the smaller segment of > the fragmented packets are arriving at the client? Is it possible that > the fragments are not being transmitted on the sending side? You did > not say whether the trace you took was on the inside or the outside > interface of the PF router. > >> I tried to add no-df option to the scrub rule, but it didn't make any >> effect > > None of your packets have DF set, so there is no DF flag to be cleared > by such a rule. > >> I am a little confused why size of the first part the fragment is 1514 >> bytes, since MTU on the interface is 1500, could it be something to do >> with it? > > No, 1514 is just the physical size of the IP datagram when transmitted > via ethernet. Ethernet adds 6 bytes each for src mac, dst mac, and 2 > bytes for ethertype ipv4. 1500 + 6 + 6 + 2 = 1514. > >> pf silently (no log entries) drops last packets, because they never >> reach the client: > > Maybe PF does not log the packets via pflog0 interface, but does it log > anything via dmesg? Did you try setting a higher debug level via 'pfctl > - -x loud' for example? > > - -- > David DeSimone == Network Admin == fox@verio.net > "It took me fifteen years to discover that I had no > talent for writing, but I couldn't give it up because > by that time I was too famous. -- Robert Benchley > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFGIS5UFSrKRjX5eCoRAt2oAJ9GFQ9lH4T6oIRkyWdI70UOO1lZvACfTLia > y4Oy/ip00P6djB4s9f5QM4U= > =vA8k > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"