From owner-freebsd-stable Thu May 9 6:41:35 2002 Delivered-To: freebsd-stable@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 78CEF37B40B for ; Thu, 9 May 2002 06:41:29 -0700 (PDT) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0/8.12.0) with ESMTP id g49DfR3g020443; Thu, 9 May 2002 23:41:27 +1000 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0/8.12.0.Beta16) id g49DfQil020438; Thu, 9 May 2002 23:41:26 +1000 (EST) From: Darren Reed Message-Id: <200205091341.g49DfQil020438@cairo.anu.edu.au> Subject: Re: ipfilter problem To: rob@robhughes.com Date: Thu, 9 May 2002 23:41:26 +1000 (Australia/NSW) Cc: stable@freebsd.org X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > Hi, > > > > I have FreeBSD-STABLE (4.6-PRERELEASE) From May, 1st and I cannot > > communicate with the host news.cis.dfn.de (neither nntp nor http, but > > only this host, others work). When I remove this ipf rule it works: > > > > block return-rst in log quick on isp0 proto tcp from any to any > > > > But with a prior version of STABLE or 4.5-RELEASE it worked. > > > > greets, > > Michael > > > > IPFilter was updated to 3.4.27. I had several rules that weren't having > any effect on the previous 3.4.20 version that suddenly "kicked in" > after the update. My guess would be that you experienced the same thing. In going from 3.4.25 -> 3.4.27, IPFilter became much more strict in how it allowed packets through for TCP connections. The side effect being that some packets which did match the connection now don't and will hit the "return-rst" rule above. If you do not use "flags S" with TCP "keep state" rules, packets which are not within the TCP window no longer will cause a new state entry to be made and will hit other TCP rules following (such as the return-rst above). I'm not sure it is a good site to test with: telnet news.cis.dfn.de 80 Trying 130.133.1.4... Connected to news.cis.dfn.de. Escape character is '^]'. GET / Connection closed by foreign host. 23:38:35.963084 10.10.10.10.11578 > 130.133.1.4.80: S [tcp sum ok] 1374076492:1374076492(0) win 8760 (DF) (ttl 254, id 46871) 23:38:36.367016 130.133.1.4.80 > 10.10.10.10.11578: S [tcp sum ok] 786895874:786895874(0) ack 1374076493 win 49152 (DF) (ttl 36, id 64119) 23:38:36.367801 10.10.10.10.11578 > 130.133.1.4.80: . [tcp sum ok] ack 1 win 9884 (DF) (ttl 254, id 46872) 23:38:37.763256 LCP 23:38:37.763340 LCP 23:38:38.373093 10.10.10.10.11578 > 130.133.1.4.80: P [tcp sum ok] 1:8(7) ack 1 win 9884 (DF) (ttl 254, id 46873) 23:38:38.777847 130.133.1.4.80 > 10.10.10.10.11578: . [tcp sum ok] ack 8 win 49152 (DF) (ttl 36, id 4560) 23:38:38.806748 130.133.1.4.80 > 10.10.10.10.11578: . 1:1413(1412) ack 8 win 49152 (DF) (ttl 36, id 4564) 23:38:38.833112 130.133.1.4.80 > 10.10.10.10.11578: . 1413:2825(1412) ack 8 win 49152 (DF) (ttl 36, id 4565) 23:38:39.186423 10.10.10.10.11578 > 130.133.1.4.80: P [tcp sum ok] 8:10(2) ack 1 win 9884 (DF) (ttl 254, id 46874) 23:38:39.540526 130.133.1.4.80 > 10.10.10.10.11578: . 1:1413(1412) ack 8 win 49152 (DF) (ttl 36, id 6060) 23:38:39.589375 130.133.1.4.80 > 10.10.10.10.11578: R [tcp sum ok] 786895875:786895875(0) win 0 (ttl 36, id 6235) As you can see, the closure is initiated by the remote end, not local. Hmmm, then again, it could be window scaling not working, but still, that the closure is initiated by the other end is sus, to me. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message