From owner-freebsd-pf@FreeBSD.ORG Tue Jul 24 03:10:02 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B49CD106566B for ; Tue, 24 Jul 2012 03:10:02 +0000 (UTC) (envelope-from jmattax@storytotell.org) Received: from mail.clanspum.net (mail.clanspum.net [69.164.206.246]) by mx1.freebsd.org (Postfix) with ESMTP id 691388FC16 for ; Tue, 24 Jul 2012 03:10:02 +0000 (UTC) Received: from [192.168.0.14] (unknown [63.231.116.1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.clanspum.net (Postfix) with ESMTPSA id AAD5922400C; Mon, 23 Jul 2012 22:10:00 -0500 (CDT) Message-ID: <500E1202.20108@storytotell.org> Date: Mon, 23 Jul 2012 21:09:54 -0600 From: Jason Mattax User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: Daniel Hartmeier References: <20120723100521.GC32530@insomnia.benzedrine.cx> In-Reply-To: <20120723100521.GC32530@insomnia.benzedrine.cx> Content-Type: multipart/mixed; boundary="------------060703070603060501020404" Cc: jmattax@clanspum.net, freebsd-pf@freebsd.org Subject: Re: PF suddenly malfunctioned X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jul 2012 03:10:02 -0000 This is a multi-part message in MIME format. --------------060703070603060501020404 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 7/23/2012 4:05 AM, Daniel Hartmeier wrote: > If you can reliably reproduce the problem with en.wikipedia.org, I > suggest the following: > > On the firewall > > 1) enable verbose logging with pfctl -xm > 2) save the output of pfctl -si and netstat -s > 3) run the following three tcpdump in parallel, and save the output: > tcpdump -s 1600 -nvvvpSi xl0 'host 91.198.174.225' > tcpdump -s 1600 -nvvvpSi re0 'host 91.198.174.225' > tcpdump -s 1600 -nvvveeepi pflog0 > > On a client > > 4) printf "GET /wiki/Main_Page HTTP/1.1\r\nHost: en.wikipedia.org\r\n\r\n" | > nc -v 91.198.174.225 80 | wc -c > 5) this should hang until some timout occurs, you need only wait 10s. > > Back on the firewall > > 6) re-run pfctl -si and netstat -s (again saving the output) > 7) stop the tcpdumps > 8) check /var/log/messages for anything from pf > > The post the outputs :) > > Daniel > The files are attached, it should be noted that I did the run I'm posting around 21:00 according to my servers clock. There were no messages about the above in /var/log/messages but there were some messages from earlier in the day. The reason it took me so long to get this posted is that I was (and still am) getting unexpected output from the netcat above, when I run the netcat I nearly immediately get a notice that the connection succeeded, so I decided to look at what the server was sending me, as it turns out it was only sending me whitespace if anything. You can see a copy and pate of the command line below. Thanks for looking at this. Jason Mattax --------------060703070603060501020404 Content-Type: text/plain; charset=windows-1252; name="messages" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="messages" Jul 23 16:24:58 stilgar kernel: pf: state reuse TCP 192.168.0.200:139 192.168.0.200:139 24.123.237.238:34820 [lo=3243560508 high=3243560510 win=15088 modulator=0] [lo=0 high=15088 win=1 modulator=0] 10:10 S Jul 23 16:24:58 stilgar kernel: pf: state reuse TCP 192.168.0.200:139 192.168.0.200:139 24.123.237.238:34820 [lo=3243560508 high=3243560510 win=15088 modulator=0] [lo=0 high=15088 win=1 modulator=0] 10:10 S Jul 23 16:25:04 stilgar kernel: pf: state reuse TCP 192.168.0.200:445 192.168.0.200:445 24.123.237.238:34871 [lo=3247592298 high=3247592300 win=15088 modulator=0] [lo=0 high=15088 win=1 modulator=0] 10:10 S Jul 23 16:25:04 stilgar kernel: pf: state reuse TCP 192.168.0.200:445 192.168.0.200:445 24.123.237.238:34871 [lo=3247592298 high=3247592300 win=15088 modulator=0] [lo=0 high=15088 win=1 modulator=0] 10:10 S Jul 23 17:53:04 stilgar kernel: pf: state reuse TCP 192.168.0.200:4899 192.168.0.200:4899 80.32.31.160:2205 [lo=47482671 high=47482673 win=65535 modulator=0] [lo=0 high=65535 win=1 modulator=0] 10:10 S Jul 23 17:53:05 stilgar kernel: pf: state reuse TCP 192.168.0.200:4899 192.168.0.200:4899 80.32.31.160:2205 [lo=47482671 high=47482673 win=65535 modulator=0] [lo=0 high=65535 win=1 modulator=0] 10:10 S --------------060703070603060501020404 Content-Type: text/plain; charset=windows-1252; name="netcat" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="netcat" jmattax@chani:~$ printf "GET /wiki/Main_Page HTTP/1.1\r\nHost: en.wikipedia.org\r\n\r\n" | nc -v 91.198.174.225 80 Connection to 91.198.174.225 80 port [tcp/http] succeeded! --------------060703070603060501020404 Content-Type: text/plain; charset=windows-1252; name="netstat_after" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="netstat_after" tcp: 3880 packets sent 1339 data packets (297910 bytes) 41 data packets (13121 bytes) retransmitted 0 data packets unnecessarily retransmitted 3 resends initiated by MTU discovery 2374 ack-only packets (141 delayed) 0 URG only packets 0 window probe packets 63 window update packets 63 control packets 6316 packets received 1219 acks (for 300091 bytes) 46 duplicate acks 0 acks for unsent data 5390 packets (6205996 bytes) received in-sequence 5 completely duplicate packets (2920 bytes) 0 old duplicate packets 0 packets with some dup. data (0 bytes duped) 24 out-of-order packets (19313 bytes) 0 packets (0 bytes) of data after window 0 window probes 6 window update packets 4 packets received after close 0 discarded for bad checksums 0 discarded for bad header offset fields 0 discarded because packet too short 0 discarded due to memory problems 17 connection requests 29 connection accepts 0 bad connection attempts 0 listen queue overflows 1 ignored RSTs in the window 45 connections established (including accepts) 55 connections closed (including 4 drops) 34 connections updated cached RTT on close 36 connections updated cached RTT variance on close 5 connections updated cached ssthresh on close 1 embryonic connection dropped 1213 segments updated rtt (of 1181 attempts) 47 retransmit timeouts 3 connections dropped by rexmit timeout 0 persist timeouts 0 connections dropped by persist timeout 0 Connections (fin_wait_2) dropped because of timeout 9 keepalive timeouts 8 keepalive probes sent 1 connection dropped by keepalive 1 correct ACK header prediction 4887 correct data packet header predictions 32 syncache entries added 0 retransmitted 0 dupsyn 0 dropped 29 completed 0 bucket overflow 0 cache overflow 3 reset 0 stale 0 aborted 0 badack 0 unreach 0 zone failures 32 cookies sent 0 cookies received 0 SACK recovery episodes 0 segment rexmits in SACK recovery episodes 0 byte rexmits in SACK recovery episodes 3 SACK options (SACK blocks) received 23 SACK options (SACK blocks) sent 0 SACK scoreboard overflow 0 packets with ECN CE bit set 0 packets with ECN ECT(0) bit set 0 packets with ECN ECT(1) bit set 0 successful ECN handshakes 0 times ECN reduced the congestion window udp: 2751 datagrams received 0 with incomplete header 0 with bad data length field 0 with bad checksum 1 with no checksum 146 dropped due to no socket 2474 broadcast/multicast datagrams undelivered 0 dropped due to full socket buffers 0 not for hashed pcb 131 delivered 248 datagrams output 0 times multicast source filter matched sctp: 0 input packets 0 datagrams 0 packets that had data 0 input SACK chunks 0 input DATA chunks 0 duplicate DATA chunks 0 input HB chunks 0 HB-ACK chunks 0 input ECNE chunks 0 input AUTH chunks 0 chunks missing AUTH 0 invalid HMAC ids received 0 invalid secret ids received 0 auth failed 0 fast path receives all one chunk 0 fast path multi-part data 0 output packets 0 output SACKs 0 output DATA chunks 0 retransmitted DATA chunks 0 fast retransmitted DATA chunks 0 FR's that happened more than once to same chunk 0 intput HB chunks 0 output ECNE chunks 0 output AUTH chunks 0 ip_output error counter Packet drop statistics: 0 from middle box 0 from end host 0 with data 0 non-data, non-endhost 0 non-endhost, bandwidth rep only 0 not enough for chunk header 0 not enough data to confirm 0 where process_chunk_drop said break 0 failed to find TSN 0 attempt reverse TSN lookup 0 e-host confirms zero-rwnd 0 midbox confirms no space 0 data did not match TSN 0 TSN's marked for Fast Retran Timeouts: 0 iterator timers fired 0 T3 data time outs 0 window probe (T3) timers fired 0 INIT timers fired 0 sack timers fired 0 shutdown timers fired 0 heartbeat timers fired 0 a cookie timeout fired 0 an endpoint changed its cookiesecret 0 PMTU timers fired 0 shutdown ack timers fired 0 shutdown guard timers fired 0 stream reset timers fired 0 early FR timers fired 0 an asconf timer fired 0 auto close timer fired 0 asoc free timers expired 0 inp free timers expired 0 packet shorter than header 0 checksum error 0 no endpoint for port 0 bad v-tag 0 bad SID 0 no memory 0 number of multiple FR in a RTT window 0 RFC813 allowed sending 0 RFC813 does not allow sending 0 times max burst prohibited sending 0 look ahead tells us no memory in interface 0 numbers of window probes sent 0 times an output error to clamp down on next user send 0 times sctp_senderrors were caused from a user 0 number of in data drops due to chunk limit reached 0 number of in data drops due to rwnd limit reached 0 times a ECN reduced the cwnd 0 used express lookup via vtag 0 collision in express lookup 0 times the sender ran dry of user data on primary 0 same for above 0 sacks the slow way 0 window update only sacks sent 0 sends with sinfo_flags !=0 0 unordered sends 0 sends with EOF flag set 0 sends with ABORT flag set 0 times protocol drain called 0 times we did a protocol drain 0 times recv was called with peek 0 cached chunks used 0 cached stream oq's used 0 unread messages abandonded by close 0 send burst avoidance, already max burst inflight to net 0 send cwnd full avoidance, already max burst inflight to net 0 number of map array over-runs via fwd-tsn's ip: 30044 total packets received 0 bad header checksums 0 with size smaller than minimum 0 with data size < data length 0 with ip length > max ip packet size 0 with header length < data size 0 with data length < header length 0 with bad options 0 with incorrect version number 0 fragments received 0 fragments dropped (dup or out of space) 0 fragments dropped after timeout 0 packets reassembled ok 9082 packets for this host 111 packets for unknown/unsupported protocol 20818 packets forwarded (0 packets fast forwarded) 33 packets not forwardable 0 packets received for unknown multicast group 0 redirects sent 4387 packets sent from this host 0 packets sent with fabricated ip header 0 output packets dropped due to no bufs, etc. 0 output packets discarded due to no route 0 output datagrams fragmented 0 fragments created 0 datagrams that can't be fragmented 0 tunneling packets that can't find gif 0 datagrams with bad address in header icmp: 148 calls to icmp_error 0 errors not generated in response to an icmp message Output histogram: echo reply: 15 destination unreachable: 148 0 messages with bad code fields 0 messages less than the minimum length 0 messages with bad checksum 0 messages with bad length 0 multicast echo requests ignored 0 multicast timestamp requests ignored Input histogram: destination unreachable: 111 echo: 15 15 message responses generated 0 invalid return addresses 0 no return routes ICMP address mask responses are disabled igmp: 0 messages received 0 messages received with too few bytes 0 messages received with wrong TTL 0 messages received with bad checksum 0 V1/V2 membership queries received 0 V3 membership queries received 0 membership queries received with invalid field(s) 0 general queries received 0 group queries received 0 group-source queries received 0 group-source queries dropped 0 membership reports received 0 membership reports received with invalid field(s) 0 membership reports received for groups to which we belong 0 V3 reports received without Router Alert 0 membership reports sent arp: 146 ARP requests sent 1627 ARP replies sent 22184 ARP requests received 7 ARP replies received 22191 ARP packets received 84 total packets dropped due to no ARP entry 69 ARP entrys timed out 0 Duplicate IPs seen ip6: 0 total packets received 0 with size smaller than minimum 0 with data size < data length 0 with bad options 0 with incorrect version number 0 fragments received 0 fragments dropped (dup or out of space) 0 fragments dropped after timeout 0 fragments that exceeded limit 0 packets reassembled ok 0 packets for this host 0 packets forwarded 0 packets not forwardable 0 redirects sent 0 packets sent from this host 0 packets sent with fabricated ip header 0 output packets dropped due to no bufs, etc. 7 output packets discarded due to no route 0 output datagrams fragmented 0 fragments created 0 datagrams that can't be fragmented 0 packets that violated scope rules 0 multicast packets which we don't join Mbuf statistics: 0 one mbuf 0 one ext mbuf 0 two or more ext mbuf 0 packets whose headers are not continuous 0 tunneling packets that can't find gif 0 packets discarded because of too many headers 0 failures of source address selection Source addresses selection rule applied: icmp6: 0 calls to icmp6_error 0 errors not generated in response to an icmp6 message 0 errors not generated because of rate limitation 0 messages with bad code fields 0 messages < minimum length 0 bad checksums 0 messages with bad length Histogram of error messages to be generated: 0 no route 0 administratively prohibited 0 beyond scope 0 address unreachable 0 port unreachable 0 packet too big 0 time exceed transit 0 time exceed reassembly 0 erroneous header field 0 unrecognized next header 0 unrecognized option 0 redirect 0 unknown 0 message responses generated 0 messages with too many ND options 0 messages with bad ND options 0 bad neighbor solicitation messages 0 bad neighbor advertisement messages 0 bad router solicitation messages 0 bad router advertisement messages 0 bad redirect messages 0 path MTU changes rip6: 0 messages received 0 checksum calculations on inbound 0 messages with bad checksum 0 messages dropped due to no socket 0 multicast messages dropped due to no socket 0 messages dropped due to full socket buffers 0 delivered 0 datagrams output --------------060703070603060501020404 Content-Type: text/plain; charset=windows-1252; name="netstat_before" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="netstat_before" tcp: 3786 packets sent 1255 data packets (275510 bytes) 41 data packets (13121 bytes) retransmitted 0 data packets unnecessarily retransmitted 3 resends initiated by MTU discovery 2364 ack-only packets (132 delayed) 0 URG only packets 0 window probe packets 63 window update packets 63 control packets 6192 packets received 1156 acks (for 277691 bytes) 46 duplicate acks 0 acks for unsent data 5329 packets (6202824 bytes) received in-sequence 5 completely duplicate packets (2920 bytes) 0 old duplicate packets 0 packets with some dup. data (0 bytes duped) 24 out-of-order packets (19313 bytes) 0 packets (0 bytes) of data after window 0 window probes 6 window update packets 4 packets received after close 0 discarded for bad checksums 0 discarded for bad header offset fields 0 discarded because packet too short 0 discarded due to memory problems 17 connection requests 29 connection accepts 0 bad connection attempts 0 listen queue overflows 1 ignored RSTs in the window 45 connections established (including accepts) 55 connections closed (including 4 drops) 34 connections updated cached RTT on close 36 connections updated cached RTT variance on close 5 connections updated cached ssthresh on close 1 embryonic connection dropped 1151 segments updated rtt (of 1119 attempts) 47 retransmit timeouts 3 connections dropped by rexmit timeout 0 persist timeouts 0 connections dropped by persist timeout 0 Connections (fin_wait_2) dropped because of timeout 9 keepalive timeouts 8 keepalive probes sent 1 connection dropped by keepalive 1 correct ACK header prediction 4826 correct data packet header predictions 32 syncache entries added 0 retransmitted 0 dupsyn 0 dropped 29 completed 0 bucket overflow 0 cache overflow 3 reset 0 stale 0 aborted 0 badack 0 unreach 0 zone failures 32 cookies sent 0 cookies received 0 SACK recovery episodes 0 segment rexmits in SACK recovery episodes 0 byte rexmits in SACK recovery episodes 3 SACK options (SACK blocks) received 23 SACK options (SACK blocks) sent 0 SACK scoreboard overflow 0 packets with ECN CE bit set 0 packets with ECN ECT(0) bit set 0 packets with ECN ECT(1) bit set 0 successful ECN handshakes 0 times ECN reduced the congestion window udp: 2751 datagrams received 0 with incomplete header 0 with bad data length field 0 with bad checksum 1 with no checksum 146 dropped due to no socket 2474 broadcast/multicast datagrams undelivered 0 dropped due to full socket buffers 0 not for hashed pcb 131 delivered 248 datagrams output 0 times multicast source filter matched sctp: 0 input packets 0 datagrams 0 packets that had data 0 input SACK chunks 0 input DATA chunks 0 duplicate DATA chunks 0 input HB chunks 0 HB-ACK chunks 0 input ECNE chunks 0 input AUTH chunks 0 chunks missing AUTH 0 invalid HMAC ids received 0 invalid secret ids received 0 auth failed 0 fast path receives all one chunk 0 fast path multi-part data 0 output packets 0 output SACKs 0 output DATA chunks 0 retransmitted DATA chunks 0 fast retransmitted DATA chunks 0 FR's that happened more than once to same chunk 0 intput HB chunks 0 output ECNE chunks 0 output AUTH chunks 0 ip_output error counter Packet drop statistics: 0 from middle box 0 from end host 0 with data 0 non-data, non-endhost 0 non-endhost, bandwidth rep only 0 not enough for chunk header 0 not enough data to confirm 0 where process_chunk_drop said break 0 failed to find TSN 0 attempt reverse TSN lookup 0 e-host confirms zero-rwnd 0 midbox confirms no space 0 data did not match TSN 0 TSN's marked for Fast Retran Timeouts: 0 iterator timers fired 0 T3 data time outs 0 window probe (T3) timers fired 0 INIT timers fired 0 sack timers fired 0 shutdown timers fired 0 heartbeat timers fired 0 a cookie timeout fired 0 an endpoint changed its cookiesecret 0 PMTU timers fired 0 shutdown ack timers fired 0 shutdown guard timers fired 0 stream reset timers fired 0 early FR timers fired 0 an asconf timer fired 0 auto close timer fired 0 asoc free timers expired 0 inp free timers expired 0 packet shorter than header 0 checksum error 0 no endpoint for port 0 bad v-tag 0 bad SID 0 no memory 0 number of multiple FR in a RTT window 0 RFC813 allowed sending 0 RFC813 does not allow sending 0 times max burst prohibited sending 0 look ahead tells us no memory in interface 0 numbers of window probes sent 0 times an output error to clamp down on next user send 0 times sctp_senderrors were caused from a user 0 number of in data drops due to chunk limit reached 0 number of in data drops due to rwnd limit reached 0 times a ECN reduced the cwnd 0 used express lookup via vtag 0 collision in express lookup 0 times the sender ran dry of user data on primary 0 same for above 0 sacks the slow way 0 window update only sacks sent 0 sends with sinfo_flags !=0 0 unordered sends 0 sends with EOF flag set 0 sends with ABORT flag set 0 times protocol drain called 0 times we did a protocol drain 0 times recv was called with peek 0 cached chunks used 0 cached stream oq's used 0 unread messages abandonded by close 0 send burst avoidance, already max burst inflight to net 0 send cwnd full avoidance, already max burst inflight to net 0 number of map array over-runs via fwd-tsn's ip: 29911 total packets received 0 bad header checksums 0 with size smaller than minimum 0 with data size < data length 0 with ip length > max ip packet size 0 with header length < data size 0 with data length < header length 0 with bad options 0 with incorrect version number 0 fragments received 0 fragments dropped (dup or out of space) 0 fragments dropped after timeout 0 packets reassembled ok 8958 packets for this host 111 packets for unknown/unsupported protocol 20809 packets forwarded (0 packets fast forwarded) 33 packets not forwardable 0 packets received for unknown multicast group 0 redirects sent 4293 packets sent from this host 0 packets sent with fabricated ip header 0 output packets dropped due to no bufs, etc. 0 output packets discarded due to no route 0 output datagrams fragmented 0 fragments created 0 datagrams that can't be fragmented 0 tunneling packets that can't find gif 0 datagrams with bad address in header icmp: 148 calls to icmp_error 0 errors not generated in response to an icmp message Output histogram: echo reply: 15 destination unreachable: 148 0 messages with bad code fields 0 messages less than the minimum length 0 messages with bad checksum 0 messages with bad length 0 multicast echo requests ignored 0 multicast timestamp requests ignored Input histogram: destination unreachable: 111 echo: 15 15 message responses generated 0 invalid return addresses 0 no return routes ICMP address mask responses are disabled igmp: 0 messages received 0 messages received with too few bytes 0 messages received with wrong TTL 0 messages received with bad checksum 0 V1/V2 membership queries received 0 V3 membership queries received 0 membership queries received with invalid field(s) 0 general queries received 0 group queries received 0 group-source queries received 0 group-source queries dropped 0 membership reports received 0 membership reports received with invalid field(s) 0 membership reports received for groups to which we belong 0 V3 reports received without Router Alert 0 membership reports sent arp: 146 ARP requests sent 1626 ARP replies sent 22177 ARP requests received 7 ARP replies received 22184 ARP packets received 84 total packets dropped due to no ARP entry 69 ARP entrys timed out 0 Duplicate IPs seen ip6: 0 total packets received 0 with size smaller than minimum 0 with data size < data length 0 with bad options 0 with incorrect version number 0 fragments received 0 fragments dropped (dup or out of space) 0 fragments dropped after timeout 0 fragments that exceeded limit 0 packets reassembled ok 0 packets for this host 0 packets forwarded 0 packets not forwardable 0 redirects sent 0 packets sent from this host 0 packets sent with fabricated ip header 0 output packets dropped due to no bufs, etc. 7 output packets discarded due to no route 0 output datagrams fragmented 0 fragments created 0 datagrams that can't be fragmented 0 packets that violated scope rules 0 multicast packets which we don't join Mbuf statistics: 0 one mbuf 0 one ext mbuf 0 two or more ext mbuf 0 packets whose headers are not continuous 0 tunneling packets that can't find gif 0 packets discarded because of too many headers 0 failures of source address selection Source addresses selection rule applied: icmp6: 0 calls to icmp6_error 0 errors not generated in response to an icmp6 message 0 errors not generated because of rate limitation 0 messages with bad code fields 0 messages < minimum length 0 bad checksums 0 messages with bad length Histogram of error messages to be generated: 0 no route 0 administratively prohibited 0 beyond scope 0 address unreachable 0 port unreachable 0 packet too big 0 time exceed transit 0 time exceed reassembly 0 erroneous header field 0 unrecognized next header 0 unrecognized option 0 redirect 0 unknown 0 message responses generated 0 messages with too many ND options 0 messages with bad ND options 0 bad neighbor solicitation messages 0 bad neighbor advertisement messages 0 bad router solicitation messages 0 bad router advertisement messages 0 bad redirect messages 0 path MTU changes rip6: 0 messages received 0 checksum calculations on inbound 0 messages with bad checksum 0 messages dropped due to no socket 0 multicast messages dropped due to no socket 0 messages dropped due to full socket buffers 0 delivered 0 datagrams output --------------060703070603060501020404 Content-Type: text/plain; charset=windows-1252; name="pfctl_after" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pfctl_after" No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 21:47:22 Debug: Misc State Table Total Rate current entries 20 searches 55249 0.7/s inserts 1901 0.0/s removals 1881 0.0/s Counters match 1917 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s --------------060703070603060501020404 Content-Type: text/plain; charset=windows-1252; name="pfctl_before" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pfctl_before" No ALTQ support in kernel ALTQ related functions disabled Status: Enabled for 0 days 21:46:41 Debug: Misc State Table Total Rate current entries 21 searches 55023 0.7/s inserts 1899 0.0/s removals 1878 0.0/s Counters match 1915 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s --------------060703070603060501020404 Content-Type: text/plain; charset=windows-1252; name="pflog0_tcpdump" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pflog0_tcpdump" --------------060703070603060501020404 Content-Type: text/plain; charset=windows-1252; name="re0_tcpdump" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="re0_tcpdump" 20:56:23.455030 IP (tos 0x0, ttl 64, id 50886, offset 0, flags [DF], proto TCP (6), length 60) 10.11.10.45.51996 > 91.198.174.225.80: Flags [S], cksum 0x34cc (correct), seq 3868567477, win 14600, options [mss 1460,sackOK,TS val 2384243 ecr 0,nop,wscale 4], length 0 20:56:23.633425 IP (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->27dd)!) 91.198.174.225.80 > 10.11.10.45.51996: Flags [S.], cksum 0x95a1 (correct), seq 2727041994, ack 3868567478, win 5792, options [mss 1460,sackOK,TS val 669489983 ecr 2384243,nop,wscale 9], length 0 20:56:23.634947 IP (tos 0x0, ttl 64, id 50887, offset 0, flags [DF], proto TCP (6), length 52) 10.11.10.45.51996 > 91.198.174.225.80: Flags [.], cksum 0xd751 (correct), seq 3868567478, ack 2727041995, win 913, options [nop,nop,TS val 2384288 ecr 669489983], length 0 20:56:23.635166 IP (tos 0x0, ttl 64, id 50888, offset 0, flags [DF], proto TCP (6), length 108) 10.11.10.45.51996 > 91.198.174.225.80: Flags [P.], cksum 0x6f6b (correct), seq 3868567478:3868567534, ack 2727041995, win 913, options [nop,nop,TS val 2384288 ecr 669489983], length 56 20:56:23.635810 IP (tos 0x0, ttl 64, id 50889, offset 0, flags [DF], proto TCP (6), length 52) 10.11.10.45.51996 > 91.198.174.225.80: Flags [F.], cksum 0xd718 (correct), seq 3868567534, ack 2727041995, win 913, options [nop,nop,TS val 2384288 ecr 669489983], length 0 20:56:23.813427 IP (tos 0x0, ttl 52, id 49306, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->673e)!) 91.198.174.225.80 > 10.11.10.45.51996: Flags [.], cksum 0x87a3 (correct), seq 2727041995, ack 3868567478, win 12, options [nop,nop,TS val 669490001 ecr 2384288,nop,nop,sack 1 {3868567534:3868567535}], length 0 20:56:23.814752 IP (tos 0x0, ttl 52, id 49307, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->6749)!) 91.198.174.225.80 > 10.11.10.45.51996: Flags [.], cksum 0xda8b (correct), seq 2727041995, ack 3868567535, win 12, options [nop,nop,TS val 669490001 ecr 2384288], length 0 20:56:23.815233 IP (tos 0x0, ttl 52, id 49308, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->6748)!) 91.198.174.225.80 > 10.11.10.45.51996: Flags [F.], cksum 0xda8a (correct), seq 2727041995, ack 3868567535, win 12, options [nop,nop,TS val 669490001 ecr 2384288], length 0 20:56:23.816529 IP (tos 0x0, ttl 64, id 50890, offset 0, flags [DF], proto TCP (6), length 52) 10.11.10.45.51996 > 91.198.174.225.80: Flags [.], cksum 0xd6d8 (correct), seq 3868567535, ack 2727041996, win 913, options [nop,nop,TS val 2384333 ecr 669490001], length 0 --------------060703070603060501020404 Content-Type: text/plain; charset=windows-1252; name="xl0_tcpdump" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="xl0_tcpdump" 20:56:23.455415 IP (tos 0x0, ttl 63, id 50886, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.200.64834 > 91.198.174.225.80: Flags [S], cksum 0x556d (correct), seq 3868567477, win 14600, options [mss 1460,sackOK,TS val 2384243 ecr 0,nop,wscale 4], length 0 20:56:23.633234 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 60) 91.198.174.225.80 > 192.168.0.200.64834: Flags [S.], cksum 0xb642 (correct), seq 2727041994, ack 3868567478, win 5792, options [mss 1460,sackOK,TS val 669489983 ecr 2384243,nop,wscale 9], length 0 20:56:23.635087 IP (tos 0x0, ttl 63, id 50887, offset 0, flags [DF], proto TCP (6), length 52) 192.168.0.200.64834 > 91.198.174.225.80: Flags [.], cksum 0xf7f2 (correct), seq 3868567478, ack 2727041995, win 913, options [nop,nop,TS val 2384288 ecr 669489983], length 0 20:56:23.635277 IP (tos 0x0, ttl 63, id 50888, offset 0, flags [DF], proto TCP (6), length 108) 192.168.0.200.64834 > 91.198.174.225.80: Flags [P.], cksum 0x900c (correct), seq 3868567478:3868567534, ack 2727041995, win 913, options [nop,nop,TS val 2384288 ecr 669489983], length 56 20:56:23.635923 IP (tos 0x0, ttl 63, id 50889, offset 0, flags [DF], proto TCP (6), length 52) 192.168.0.200.64834 > 91.198.174.225.80: Flags [F.], cksum 0xf7b9 (correct), seq 3868567534, ack 2727041995, win 913, options [nop,nop,TS val 2384288 ecr 669489983], length 0 20:56:23.813258 IP (tos 0x0, ttl 53, id 49306, offset 0, flags [DF], proto TCP (6), length 64) 91.198.174.225.80 > 192.168.0.200.64834: Flags [.], cksum 0xa844 (correct), seq 2727041995, ack 3868567478, win 12, options [nop,nop,TS val 669490001 ecr 2384288,nop,nop,sack 1 {3868567534:3868567535}], length 0 20:56:23.814638 IP (tos 0x0, ttl 53, id 49307, offset 0, flags [DF], proto TCP (6), length 52) 91.198.174.225.80 > 192.168.0.200.64834: Flags [.], cksum 0xfb2c (correct), seq 2727041995, ack 3868567535, win 12, options [nop,nop,TS val 669490001 ecr 2384288], length 0 20:56:23.815114 IP (tos 0x0, ttl 53, id 49308, offset 0, flags [DF], proto TCP (6), length 52) 91.198.174.225.80 > 192.168.0.200.64834: Flags [F.], cksum 0xfb2b (correct), seq 2727041995, ack 3868567535, win 12, options [nop,nop,TS val 669490001 ecr 2384288], length 0 20:56:23.816677 IP (tos 0x0, ttl 63, id 50890, offset 0, flags [DF], proto TCP (6), length 52) 192.168.0.200.64834 > 91.198.174.225.80: Flags [.], cksum 0xf779 (correct), seq 3868567535, ack 2727041996, win 913, options [nop,nop,TS val 2384333 ecr 669490001], length 0 --------------060703070603060501020404--