Site Navigation

Date:      Thu, 23 Apr 2009 07:05:54 +0200
From:      Sebastiaan van Erk <sebster@sebster.com>
To:        freebsd-pf@freebsd.org
Subject:   "BAD ICMP" message
Message-ID:  <49EFF732.3010402@sebster.com>

---

next in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
Hi,

I have the following setup:

[openvpn client 10.0.80.150] -> internet -> [vpn server 10.0.80.77] -> 
internet -> [openvpn client 10.0.80.4]

The VPN server has 2 backups with CARP [.76, .75, shared IP .74] though 
I don't use the CARP failover for their role as VPN server but only for 
their role as gateway for the 10.0.80.0/24 network. For the VPN I use 
failover by specifying multiple "remote" lines to their respective 
external addresses in the openvpn client config.

When I try a ssh from 10.0.80.150 to 10.0.80.4 I get to enter my 
password and sometimes even a few commands, but then pf suddenly starts 
blocking the connection with the following message:

1. 033789 rule 10/0(match): block in on em1: 10.0.80.150.51422 > 
10.0.80.4.22: [|tcp]
2. 079427 rule 10/0(match): block in on em1: 10.0.80.150.51422 > 
10.0.80.4.22: [|tcp]
4. 161413 rule 10/0(match): block in on em1: 10.0.80.150.51422 > 
10.0.80.4.22: [|tcp]
8. 319210 rule 10/0(match): block in on em1: 10.0.80.150.51422 > 
10.0.80.4.22: [|tcp]

The 10 rule is the catch-all rule:

@10 block drop log all

I turned up the debug to load using pfctl -xl and I see these BAD ICMP 
messages just before the state of the above connection disappears from 
the state table and the connection gets blocked:

Apr 23 06:58:38 vpn3 kernel: pf: loose state match: TCP 
10.0.80.150:51422 10.0.80.150:51422 10.0.80.4:22 [lo=3150927679 
high=3150923785 win=692 modulator=0] [lo=0 high=692 win=1 modulator=0] 
2:0 A seq=3150927679 (3150927679) ack=0 len=0 ackskew=0 pkts=77:0
Apr 23 06:58:38 vpn3 kernel: pf: BAD ICMP 5:1 10.0.80.77 -> 10.0.80.150 
state: TCP 10.0.80.4:22 10.0.80.4:22 10.0.80.150:51422 [lo=3150927679 
high=3150923785 win=692 modulator=0] [lo=0 high=692 win=1 modulator=0] 
2:0 seq=3150927679

I see this message several times and the connection no longer works 
after that.

Does anybody know what's going on and how I can fix it?

Many thanks,
Sebastiaan van Erk

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


��	Q0�0�l�
S|
��6�$1-~�j�0
	*�H��


0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080630135157Z
090630135157Z0h10Uvan Erk10U*
Sebastiaan10USebastiaan van Erk1"0 	*�H��

	
sebster@sebster.com0�
"0
	*�H��



�
0�

�

���
�Va�\b��E�nݚ��a<���M8�ʄ���^tv>x��7
����3bo���hi���2oq������S�_�¶�Bm^�p����*I	x"��9pt���!j������a�r�#���)n)��^�?'�z�<).+Ѐ4i����g���R'�UP��*\��Ւ���,?��.�;?f�B�ܯ����TzM I�Dվ�CK�*�3�Y��ŧ
�m��ca�z���t��xʐs�q�/

�00.0U0�sebster@sebster.com0U

�00
	*�H��


��KT�4�W6��ӽ���q]
t�S`�� %f�1��G:H��b�z�Jj$Ej��E��'�J���V~�-�VbVn�JZE/�`@��@0�4!+�T:��c	پ���f`$Z�=1�#|�o�G[�OBRG0�0�l�
S|
��6�$1-~�j�0
	*�H��


0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080630135157Z
090630135157Z0h10Uvan Erk10U*
Sebastiaan10USebastiaan van Erk1"0 	*�H��

	
sebster@sebster.com0�
"0
	*�H��



�
0�

�

���
�Va�\b��E�nݚ��a<���M8�ʄ���^tv>x��7
����3bo���hi���2oq������S�_�¶�Bm^�p����*I	x"��9pt���!j������a�r�#���)n)��^�?'�z�<).+Ѐ4i����g���R'�UP��*\��Ւ���,?��.�;?f�B�ܯ����TzM I�Dվ�CK�*�3�Y��ŧ
�m��ca�z���t��xʐs�q�/

�00.0U0�sebster@sebster.com0U

�00
	*�H��


��KT�4�W6��ӽ���q]
t�S`�� %f�1��G:H��b�z�Jj$Ej��E��'�J���V~�-�VbVn�JZE/�`@��@0�4!+�T:��c	پ���f`$Z�=1�#|�o�G[�OBRG0�?0���


0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��

	
personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0��0
	*�H��



��0����Ħ<UsU�N�ʙZh�up��������[�v�:a�Q�
��P
0�cZ,�p����+�Z�?qV˯<���6$*�+��w=�+��>�@�dק���e��*T�H���<a@dr`��

���0��0U

�0

�
0CU<0:08�6�4�2http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U
0)U"0 �010UPrivateLabel2-1380
	*�H��


��H��P��.�
�f�g�����C���L!��6�-�6/��P �p<���ab��:~�����t�%P�b��'qW%�ݩ�9�� Oe_�������N���4�[5Mw�V!x��!5�$��F�]_eO1�q0�m

0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
��6�$1-~�j�0	+��
�0	*�H��

	1	*�H��


0	*�H��

	1
090423050554Z0#	*�H��

	1ȃ��s�c�4Iݐ�<*3B?0_	*�H��

	1R0P0	`�H
e
0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
��6�$1-~�j�0��*�H��

	1x�v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
��6�$1-~�j�0
	*�H��



�
f��
Y�vx�k�G^����}#�U.W#I�ȃ��9��-VȖ�5��x��Ӯ�/��(?v�G����5�@������,�UY��?���g�i�q0Sd<�:�H�Ħ�m�
1�����rI�i�2�sa�<0�'���)�����~�I:���y��r��
�{�9\��+A�P֩�a,h6*�I�W,��䀒P���"����"E���*96�?`��� ���^y�U���	gy8�]Fp9����N��*{�P�ݫ�Tw

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49EFF732.3010402>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact