From owner-freebsd-pf@FreeBSD.ORG  Thu Aug  4 18:21:16 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8D0A616A41F
	for <freebsd-pf@freebsd.org>; Thu,  4 Aug 2005 18:21:16 +0000 (GMT)
	(envelope-from rod@supanet.net.uk)
Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk
	[213.40.193.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E626F43D45
	for <freebsd-pf@freebsd.org>; Thu,  4 Aug 2005 18:21:15 +0000 (GMT)
	(envelope-from rod@supanet.net.uk)
Received: from torgau.office.netline.net.uk (torgau.office.netline.net.uk
	[127.0.0.1])
	by torgau.office.netline.net.uk (8.12.11/8.12.11) with ESMTP id
	j74IQuW2025232
	for <freebsd-pf@freebsd.org>; Thu, 4 Aug 2005 19:26:56 +0100
Received: (from rod@localhost)
	by torgau.office.netline.net.uk (8.12.11/8.12.11/Submit) id
	j74IQuBD025231
	for freebsd-pf@freebsd.org; Thu, 4 Aug 2005 19:26:56 +0100
X-Authentication-Warning: torgau.office.netline.net.uk: rod set sender to
	rod@supanet.net.uk using -f
From: Rod <rod@supanet.net.uk>
To: freebsd-pf@freebsd.org
In-Reply-To: <20050804175303.GI11104@insomnia.benzedrine.cx>
References: <1123177703.24009.29.camel@torgau.office.netline.net.uk>
	<20050804175303.GI11104@insomnia.benzedrine.cx>
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="=-X8IVMSmdrQmNJdqwD6bo"
Message-Id: <1123180015.24009.45.camel@torgau.office.netline.net.uk>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) 
Date: Thu, 04 Aug 2005 19:26:55 +0100
Subject: Re: PF, SSH closed by remote host
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2005 18:21:16 -0000


--=-X8IVMSmdrQmNJdqwD6bo
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Thanks for that here's the output, currently looking down the path that
maybe it's ssh miss-behaving=20

pfctl -xm:

No ALTQ support in kernel
ALTQ related functions disabled
debug level set to 'misc'

pfctl -si:

No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:36:23             Debug: Misc
=20
Hostid: 0xf7895b8a
=20
State Table                          Total             Rate
  current entries                       13
  searches                           61585           28.2/s
  inserts                              322            0.1/s
  removals                             309            0.1/s
Counters
  match                                889            0.4/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s

ps -auwx ... disconnected ..

/var/log/messages :

Aug  4 20:10:09 host2 kernel: pf: BAD state: TCP 192.168.2.3:22
192.168.2.3:22 192.168.2.9:45297 [lo=3D4294559707 high=3D4294560735
win=3D33304 modulator=3D0] [lo=3D1818073202 high=3D1818106506 win=3D3140
modulator=3D0] 4:4 A seq=3D4294559707 ack=3D1818073202 len=3D1448 ackskew=
=3D0
pkts=3D72:121 dir=3Dout,fwd
Aug  4 20:10:09 host2 kernel: pf: State failure on: 1       |
Aug  4 20:10:09 host2 sshd[94143]: fatal: Write failed: Operation not
permitted

pfctl -si:

No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:43:20             Debug: Misc
=20
Hostid: 0xf7895b8a
=20
State Table                          Total             Rate
  current entries                        1
  searches                           62446           24.0/s
  inserts                              355            0.1/s
  removals                             354            0.1/s
Counters
  match                                951            0.4/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s


On Thu, 2005-08-04 at 18:53, Daniel Hartmeier wrote:
> On Thu, Aug 04, 2005 at 06:48:23PM +0100, Rod wrote:
>=20
> > Have tried lists,google and multiple different variations of the above
> > pf.conf but it's still happening. Any suggests?
>=20
> Enable debug logging in pf (pfctl -xm), make sure all blocked packets
> are logged and pflogd is running. Print the current counters values
> (pfctl -si). Then reproduce the connection reset. Afterwards:
>=20
>   - check /var/log/messages for any messages from pf
>   - check pflog for any logged packets
>   - print the counters again (pfctl -si) and check if any of them
>     have increased
>=20
> It might be neccessary to tcpdump one entire ssh connection (from
> establishment to the point where its reset) to fully analyze the
> problem, but maybe the simpler steps above will already give a hint.
>=20
> Daniel

--=-X8IVMSmdrQmNJdqwD6bo
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBC8l3uSKw3AiKIO7sRAsWbAJ4/DyYchYqO44/JsXkqQ78xYJdgvwCgi5mI
UiLrUg+0MsL9FiHNIOUFSWY=
=z4M8
-----END PGP SIGNATURE-----

--=-X8IVMSmdrQmNJdqwD6bo--