From owner-freebsd-stable@FreeBSD.ORG Fri Jul 28 21:50:24 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C84816A4DA for ; Fri, 28 Jul 2006 21:50:24 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from koef.zs64.net (koef.zs64.net [213.238.47.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id C452F43D46 for ; Fri, 28 Jul 2006 21:50:21 +0000 (GMT) (envelope-from stb@lassitu.de) Received: (from stb@koef.zs64.net) (authenticated) by koef.zs64.net (8.13.7/8.13.7) with ESMTP id k6SLo8G5010919 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Fri, 28 Jul 2006 23:50:19 +0200 (CEST) (envelope-from stb@lassitu.de) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Stefan Bethke Date: Fri, 28 Jul 2006 23:50:08 +0200 To: Garance A Drosihn X-Mailer: Apple Mail (2.752.2) Cc: freebsd-stable@freebsd.org Subject: Re: Weird problems with 'pf' (on both 5.x and 6.x) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 21:50:24 -0000 Am 28.07.2006 um 22:20 schrieb Garance A Drosihn: > At 9:30 PM +0200 7/28/06, Stefan Bethke wrote: >> What I do find curious is that the client keeps using >> port 1023 consistently. I was under the impression that >> reusing the same port number (thus having the same >> src-ip/port+dst-ip/port tuple) shouldn't work, because >> "old" packets could arrive after the original connection >> was closed; that's what the CLOSE_WAIT state in netstat is. > > Hmm. Well, I did wait a few seconds between the two lpq's, > just so it would be easier tell them apart in the packet dumps. > > Perhaps solaris is quicker to reuse ports, while 'pf' > remembers that src-ip/port+dst-ip/port tuple for a > longer stretch of time? Thinking about it, it must be pf's notion of when to forget about a closed TCP connection. lpq (in FreeBSD) is intent on using port 1023, tells the kernel it's OK to reuse it, and will try until it gets it, with an exponential backoff and an upper limit on the number of tries. I'd think the Solaris lpq does the same. Since the client and server "know" it's OK, they can deal with the not-yet-expired TIME_WAIT (by ignoring it). But pf obviously cannot know about it, and will drop packets that are received during TIME_WAIT, including a new SYN. For this case in particular, you should be able to use a pair of static rules (instead of keep state), since both source and destination ports will always be the same. Something like pass out quick proto tcp from $client 1023 to $server 515 pass in quick proto tcp from $server 515 to $client 1023 I'm not certain this is a bug in pf, maybe someone more knowledgeable can explain how the TCP state machine in pf works. Stefan -- Stefan Bethke Fon +49 170 346 0140