From owner-freebsd-pf@FreeBSD.ORG Sat Nov 11 23:24:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D75C016A40F for ; Sat, 11 Nov 2006 23:24:26 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2840E43D60 for ; Sat, 11 Nov 2006 23:24:25 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id kABNOQAI026625 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sun, 12 Nov 2006 00:24:26 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id kABNOPrv004969; Sun, 12 Nov 2006 00:24:25 +0100 (MET) Date: Sun, 12 Nov 2006 00:24:25 +0100 From: Daniel Hartmeier To: Kimi Ostro Message-ID: <20061111232425.GO6819@insomnia.benzedrine.cx> References: <42b497160611111207t2e168afdnba91607fd66371d2@mail.gmail.com> <200611112329.43326.max@love2party.net> <42b497160611111504q3a287bf9qa439e62deac62c36@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42b497160611111504q3a287bf9qa439e62deac62c36@mail.gmail.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Having a couple of issues X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 23:24:26 -0000 On Sat, Nov 11, 2006 at 11:04:25PM +0000, Kimi Ostro wrote: > All of those messages "State failure on:" messages are like this: > > Nov 10 15:40:24 ehost kernel: pf: State failure on: | > > which doesn't help I guess? > > more here: > > Nov 10 15:40:24 ehost kernel: pf: BAD state: TCP IiP.IiP.IiP.8:54188 > XiP.XiP.XiP.199:56092 66.35.250.150:80 [lo=3278961269 high=3278967062 > win=32768 modulator=2503785894 wscale=1] [lo=164575658 high=164641194 > win=5792 modulator=2389911175 wscale=2] 4:2 R seq=3278961269 > ack=164575658 len=0 ackskew=0 pkts=1:4 dir=out,fwd > Nov 10 15:40:24 ehost kernel: pf: State failure on: | These are caused by on off-by-one in pf's state tracking for one special case: when an RST is sent during the handshake (i.e. SYN, SYN+ACK, RST), pf compares the sequence number in the RST exactly, and is off by one, blocking the RST. This is recognizable by the strange "State failure on:" line with no digits (the digit(s) indicate the reason why the state match failed, in this specific case, and this case only, there is no digit printed). It was recently fixed in OpenBSD, IIRC post-4.0. The fix is easy to port. But I have to wonder why this shows up repeatedly just now. Who are those clients aborting their handshake with RST, and why are they doing it? If the RST is properly passed, it's not like you end up with a working connection, it's aborted. And if they don't intend to complete the handshake, why start it? Some silly form of port scanning? WTF? :) Daniel