From owner-freebsd-net@FreeBSD.ORG Sat Sep 24 15:39:34 2011 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF779106564A for ; Sat, 24 Sep 2011 15:39:34 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com [209.85.218.54]) by mx1.freebsd.org (Postfix) with ESMTP id 878278FC12 for ; Sat, 24 Sep 2011 15:39:34 +0000 (UTC) Received: by yia13 with SMTP id 13so4270118yia.13 for ; Sat, 24 Sep 2011 08:39:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=ZYyyJllQlOzxWcRNPFue7W+Gv/xYcMQG/SKDkI92Y3A=; b=h7CTsyV/RQFl8nHVPrBTkHbXG0eu/9IVfPFw/JJT5wWrzvhX/kDqh7zb3UIVw3jWHD hqAD5pu6vQYRbYJgBk6EReY+9KZ+ovOLqYpB+U5qMfm148MmdJK+vCJKvx5DE83n1iRl 2xILE8s0HGzkTFtnftEbkNLeeizdhOIa008gY= Received: by 10.236.178.102 with SMTP id e66mr29687902yhm.40.1316878773985; Sat, 24 Sep 2011 08:39:33 -0700 (PDT) Received: from DataIX.net (adsl-99-190-81-85.dsl.klmzmi.sbcglobal.net. [99.190.81.85]) by mx.google.com with ESMTPS id z6sm50956509anf.22.2011.09.24.08.39.30 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 24 Sep 2011 08:39:31 -0700 (PDT) Sender: Jason Hellenthal Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id p8OFdSTE001570 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 24 Sep 2011 11:39:28 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id p8OFdR2a001489 for net@FreeBSD.org; Sat, 24 Sep 2011 11:39:27 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Sat, 24 Sep 2011 11:39:27 -0400 From: Jason Hellenthal To: net@FreeBSD.org Message-ID: <20110924153927.GA92152@DataIX.net> References: <20110908052838.GA36011@DataIX.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110908052838.GA36011@DataIX.net> Cc: Subject: Re: Last Address on Interface Receiving RST ACK. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Sep 2011 15:39:34 -0000 Ignore this. I found the problem with this a little while back. Problem was that the address recieving the RST ACK on the same interface within the same subnet was also located within a DMZ which caused it to recieve everything that was also bound for the /24 On Thu, Sep 08, 2011 at 01:28:38AM -0400, Jason Hellenthal wrote: > > Net, > > With a default setup of dc0 on 8.2-STABLE r224908 I have noticed that > when the interface is configured with more than one address that the > last address configured recieves RSTs & ACKs that were generated on the > primary address. > > The configuration is like such: > > PF with no NAT or redirection. > Default route: 192.168.1.1 > ipv4_addrs_dc0="192.168.1.2/24" > > And then a jail brings up alias 192.168.1.100/32 > > I have mail pulling down to this system every 20 minutes and this is > repeated every 20 minutes but not soley dependent to just this service > or destination. > > Rule 26: block drop in log quick proto tcp from ! port < 1024 > to any > > Keep in mind the only way I caught this is because the jail is not > generating any traffic and since there is no state for that address this > rule kicks in to block what should not be recieved by that address. > > Any help with this would be appreciated. > > 00:56:05.274815 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 13179, offset 0, flags [none], proto TCP (6), length 40) > 91.121.XXX.XXX.443 > 192.168.1.100.33581: Flags [R.], cksum 0x0a57 (correct), seq 1397498691, ack 1491506967, win 0, length 0 > 00:56:49.351521 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 44594, offset 0, flags [none], proto TCP (6), length 40) > 74.125.XXX.X.443 > 192.168.1.100.58794: Flags [R.], cksum 0x0268 (correct), seq 3217610262, ack 840102530, win 0, length 0 > 00:57:49.465331 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 49671, offset 0, flags [none], proto TCP (6), length 40) > 74.125.XXX.XX.443 > 192.168.1.100.35474: Flags [R.], cksum 0x5c5e (correct), seq 3787279118, ack 1664887624, win 0, length 0 > 00:58:23.524232 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 54499, offset 0, flags [none], proto TCP (6), length 40) > 74.125.XXX.XXX.993 > 192.168.1.100.55544: Flags [R.], cksum 0x9962 (correct), seq 1419741552, ack 2168011860, win 0, length 0 > 00:58:49.586119 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 61912, offset 0, flags [none], proto TCP (6), length 40) > 74.125.XXX.XX.443 > 192.168.1.100.64663: Flags [R.], cksum 0xf8db (correct), seq 1228724784, ack 2559832299, win 0, length 0 > 00:58:51.573874 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 49850, offset 0, flags [none], proto TCP (6), length 40) > 12.22.XX.XX.873 > 192.168.1.100.60330: Flags [R.], cksum 0xfcbd (correct), seq 1803075968, ack 944126062, win 0, length 0 > 00:59:05.594207 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 18167, offset 0, flags [none], proto TCP (6), length 40) > 12.22.XX.XX.873 > 192.168.1.100.16970: Flags [R.], cksum 0x851b (correct), seq 1913818609, ack 3282631427, win 0, length 0 > 01:08:24.602213 rule 26/0(match): block in on dc0: (tos 0x0, ttl 254, id 19516, offset 0, flags [none], proto TCP (6), length 40) > 74.125.XXX.XX.993 > 192.168.1.100.27724: Flags [R.], cksum 0xa62d (correct), seq 3861575754, ack 1373823783, win 0, length 0 >