Date: Fri, 16 Dec 2005 10:09:15 -0600 From: Paul Dokas <dokas@oitsec.umn.edu> To: freebsd-pf@freebsd.org Subject: very odd PF + FreeBSD6.0 problems Message-ID: <20051216100915.73fef758.dokas@oitsec.umn.edu>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
I recently upgrade to FreeBSD 6.0 via a full reinstall and I've run into a very
strange problem with PF. First of all, I'm using the same PF ruleset that I
used on 5.4. I know for a fact that it works correctly there. What's happening
is that when I turn on PF, I'm able to make outbound connections, but if those
connections go idle for more than 30 seconds, PF starts rejecting inbound packets.
Furthermore, PF _does_ show an ESTABLISHED state in it's state table. With loud
debugging turned on, it's giving me "pf_normalize_tcp_stateful: Timestamp failed 1"
messages.
The attached files show all of the details that I've collected about this.
this.host.umn.edu (A.B.C.D) is the host that I'm having problems with.
The first file shows tcpdump of 'telnet that.host.umn.edu 22' and the PF kernel
messages generated by the loud debugging. The second file shows the output of
`pfctl -vsa`.
I'd greatly appreciate any help that anyone might have about this problem.
Paul
--
Paul Dokas dokas at oitsec.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
[-- Attachment #2 --]
this.host.umn.edu == A.B.C.D
that.host.umn.edu == W.X.Y.Z
09:12:00.516180 IP this.host.umn.edu.54746 > that.host.umn.edu.ssh: S 2843439405:2843439405(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 2382230823 0,sackOK,eol>
09:12:00.516597 IP that.host.umn.edu.ssh > this.host.umn.edu.54746: S 1786857104:1786857104(0) ack 2843439406 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 1424712989 2382230823,nop,nop,sackOK>
09:12:00.516664 IP this.host.umn.edu.54746 > that.host.umn.edu.ssh: . ack 1 win 33304 <nop,nop,timestamp 2382230824 1424712989>
09:12:00.518506 IP that.host.umn.edu.ssh > this.host.umn.edu.54746: P 1:42(41) ack 1 win 33304 <nop,nop,timestamp 1424712993 2382230824>
09:12:00.618331 IP this.host.umn.edu.54746 > that.host.umn.edu.ssh: . ack 42 win 33304 <nop,nop,timestamp 2382231028 1424712993>
09:14:00.601413 IP that.host.umn.edu.ssh > this.host.umn.edu.54746: F 42:42(0) ack 1 win 33304 <nop,nop,timestamp 1424952994 2382231028>
09:14:00.914991 IP that.host.umn.edu.ssh > this.host.umn.edu.54746: F 42:42(0) ack 1 win 33304 <nop,nop,timestamp 1424953621 2382231028>
09:14:01.342212 IP that.host.umn.edu.ssh > this.host.umn.edu.54746: F 42:42(0) ack 1 win 33304 <nop,nop,timestamp 1424954475 2382231028>
09:14:01.996605 IP that.host.umn.edu.ssh > this.host.umn.edu.54746: F 42:42(0) ack 1 win 33304 <nop,nop,timestamp 1424955783 2382231028>
09:14:03.105482 IP that.host.umn.edu.ssh > this.host.umn.edu.54746: F 42:42(0) ack 1 win 33304 <nop,nop,timestamp 1424957999 2382231028>
Dec 16 09:14:00 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:00 this kernel: pf_normalize_tcp_stateful: tsval: 1424952994 tsecr: 336877 +ticks: 165091 idle: 120s 82ms
Dec 16 09:14:00 this kernel: pf_normalize_tcp_stateful: src->tsval: 1424712993 tsecr: 336673
Dec 16 09:14:00 this kernel: pf_normalize_tcp_stateful: dst->tsval: 336877 tsecr: 1424712993 tsval0: 336672
Dec 16 09:14:00 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: tsval: 1424953621 tsecr: 336877 +ticks: 165436 idle: 120s 396ms
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: src->tsval: 1424712993 tsecr: 336673
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: dst->tsval: 336877 tsecr: 1424712993 tsval0: 336672
Dec 16 09:14:01 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: tsval: 577409 tsecr: 1424712993 +ticks: 165335 idle: 120s 304ms
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:01 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: tsval: 577815 tsecr: 1424712993 +ticks: 165558 idle: 120s 508ms
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:01 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: tsval: 578227 tsecr: 1424712993 +ticks: 165785 idle: 120s 714ms
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:01 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: tsval: 1424954475 tsecr: 336877 +ticks: 165906 idle: 120s 824ms
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: src->tsval: 1424712993 tsecr: 336673
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: dst->tsval: 336877 tsecr: 1424712993 tsval0: 336672
Dec 16 09:14:01 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: tsval: 578651 tsecr: 1424712993 +ticks: 166018 idle: 120s 926ms
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:01 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: tsval: 579099 tsecr: 1424712993 +ticks: 166265 idle: 121s 150ms
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:01 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: tsval: 579099 tsecr: 1424712993 +ticks: 166265 idle: 121s 150ms
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:01 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:01 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: tsval: 1424955783 tsecr: 336877 +ticks: 166626 idle: 121s 478ms
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: src->tsval: 1424712993 tsecr: 336673
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: dst->tsval: 336877 tsecr: 1424712993 tsval0: 336672
Dec 16 09:14:02 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: tsval: 579595 tsecr: 1424712993 +ticks: 166538 idle: 121s 398ms
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:02 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: tsval: 580123 tsecr: 1424712993 +ticks: 166829 idle: 121s 662ms
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:02 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: tsval: 580779 tsecr: 1424712993 +ticks: 167190 idle: 121s 990ms
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:02 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:02 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:03 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:03 this kernel: pf_normalize_tcp_stateful: tsval: 581691 tsecr: 1424712993 +ticks: 167691 idle: 122s 447ms
Dec 16 09:14:03 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:03 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:03 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:03 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:03 this kernel: pf_normalize_tcp_stateful: tsval: 1424957999 tsecr: 336877 +ticks: 167845 idle: 122s 587ms
Dec 16 09:14:03 this kernel: pf_normalize_tcp_stateful: src->tsval: 1424712993 tsecr: 336673
Dec 16 09:14:03 this kernel: pf_normalize_tcp_stateful: dst->tsval: 336877 tsecr: 1424712993 tsval0: 336672
Dec 16 09:14:03 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:03 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:03 this kernel: pf_normalize_tcp_stateful: tsval: 583115 tsecr: 1424712993 +ticks: 168475 idle: 123s 159ms
Dec 16 09:14:03 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:03 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:03 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:05 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:05 this kernel: pf_normalize_tcp_stateful: tsval: 585563 tsecr: 1424712993 +ticks: 169821 idle: 124s 383ms
Dec 16 09:14:05 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:05 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:05 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:05 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:05 this kernel: pf_normalize_tcp_stateful: tsval: 1424962031 tsecr: 336877 +ticks: 170065 idle: 124s 604ms
Dec 16 09:14:05 this kernel: pf_normalize_tcp_stateful: src->tsval: 1424712993 tsecr: 336673
Dec 16 09:14:05 this kernel: pf_normalize_tcp_stateful: dst->tsval: 336877 tsecr: 1424712993 tsval0: 336672
Dec 16 09:14:05 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:06 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:06 this kernel: pf_normalize_tcp_stateful: tsval: 588011 tsecr: 1424712993 +ticks: 171168 idle: 125s 607ms
Dec 16 09:14:06 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:06 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:06 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:07 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:07 this kernel: pf_normalize_tcp_stateful: tsval: 590459 tsecr: 1424712993 +ticks: 172515 idle: 126s 832ms
Dec 16 09:14:07 this kernel: pf_normalize_tcp_stateful: src->tsval: 336877 tsecr: 1424712993
Dec 16 09:14:07 this kernel: pf_normalize_tcp_stateful: dst->tsval: 1424712993 tsecr: 336673 tsval0: 1424712989
Dec 16 09:14:07 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:08 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:08 this kernel: pf_normalize_tcp_stateful: tsval: 1424969055 tsecr: 336877 +ticks: 173931 idle: 128s 119ms
Dec 16 09:14:08 this kernel: pf_normalize_tcp_stateful: src->tsval: 1424712993 tsecr: 336673
Dec 16 09:14:08 this kernel: pf_normalize_tcp_stateful: dst->tsval: 336877 tsecr: 1424712993 tsval0: 336672
Dec 16 09:14:08 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:08 this kernel: pf: BAD state: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 RA seq=2843439405 ack=1786857146 len=0 ackskew=0 pkts=3:2 dir=out,fwd
Dec 16 09:14:08 this kernel: pf: State failure on: |
Dec 16 09:14:15 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:15 this kernel: pf_normalize_tcp_stateful: tsval: 1424982703 tsecr: 336877 +ticks: 181442 idle: 134s 947ms
Dec 16 09:14:15 this kernel: pf_normalize_tcp_stateful: src->tsval: 1424712993 tsecr: 336673
Dec 16 09:14:15 this kernel: pf_normalize_tcp_stateful: dst->tsval: 336877 tsecr: 1424712993 tsval0: 336672
Dec 16 09:14:15 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:29 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:29 this kernel: pf_normalize_tcp_stateful: tsval: 1425009599 tsecr: 336877 +ticks: 196245 idle: 148s 405ms
Dec 16 09:14:29 this kernel: pf_normalize_tcp_stateful: src->tsval: 1424712993 tsecr: 336673
Dec 16 09:14:29 this kernel: pf_normalize_tcp_stateful: dst->tsval: 336877 tsecr: 1424712993 tsval0: 336672
Dec 16 09:14:29 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:14:55 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:14:55 this kernel: pf_normalize_tcp_stateful: tsval: 1425062991 tsecr: 336877 +ticks: 225630 idle: 175s 118ms
Dec 16 09:14:55 this kernel: pf_normalize_tcp_stateful: src->tsval: 1424712993 tsecr: 336673
Dec 16 09:14:55 this kernel: pf_normalize_tcp_stateful: dst->tsval: 336877 tsecr: 1424712993 tsval0: 336672
Dec 16 09:14:55 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
Dec 16 09:15:48 this kernel: pf_normalize_tcp_stateful: Timestamp failed 1
Dec 16 09:15:48 this kernel: pf_normalize_tcp_stateful: tsval: 1425169375 tsecr: 336877 +ticks: 284183 idle: 228s 348ms
Dec 16 09:15:48 this kernel: pf_normalize_tcp_stateful: src->tsval: 1424712993 tsecr: 336673
Dec 16 09:15:48 this kernel: pf_normalize_tcp_stateful: dst->tsval: 336877 tsecr: 1424712993 tsval0: 336672
Dec 16 09:15:48 this kernel: TCP A.B.C.D:54746 A.B.C.D:54746 W.X.Y.Z:22 [lo=2843439405 high=2843506014 win=33304 modulator=0 wscale=1] [lo=1786857146 high=1786923754 win=33304 modulator=0 wscale=1] 4:4 FA
[-- Attachment #3 --]
FILTER RULES:
scrub all reassemble tcp fragment reassemble
[ Evaluations: 2444 Packets: 2444 Bytes: 0 States: 0 ]
pass quick on lo0 all
[ Evaluations: 780 Packets: 180 Bytes: 13320 States: 0 ]
block drop in log all
[ Evaluations: 760 Packets: 77 Bytes: 9959 States: 0 ]
block drop in log quick from <KNOWN_BAD_HOSTS> to any
[ Evaluations: 359 Packets: 0 Bytes: 0 States: 0 ]
block drop out log quick from any to <KNOWN_BAD_HOSTS>
[ Evaluations: 760 Packets: 0 Bytes: 0 States: 0 ]
block drop in log quick on ! lo0 inet6 from ::1 to any
[ Evaluations: 760 Packets: 0 Bytes: 0 States: 0 ]
block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any
[ Evaluations: 359 Packets: 0 Bytes: 0 States: 0 ]
block drop in log quick on ! bge0 inet from A.B.C.192/26 to any
[ Evaluations: 359 Packets: 0 Bytes: 0 States: 0 ]
block drop in log quick on bge0 inet6 from fe80::212:3fff:dead:beef to any
[ Evaluations: 359 Packets: 0 Bytes: 0 States: 0 ]
block drop in log quick inet from A.B.C.D to any
[ Evaluations: 359 Packets: 0 Bytes: 0 States: 0 ]
pass in on bge0 inet6 proto tcp from <MYDOMAIN> to fe80::212:3fff:dead:beef flags S/SA keep state
[ Evaluations: 359 Packets: 0 Bytes: 0 States: 0 ]
pass in inet proto tcp from <MYDOMAIN> to A.B.C.D flags S/SA keep state
[ Evaluations: 359 Packets: 0 Bytes: 0 States: 0 ]
pass in inet6 proto tcp from <MYDOMAIN> to ::1 flags S/SA keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass in on lo0 inet6 proto tcp from <MYDOMAIN> to fe80::1 flags S/SA keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass in inet proto tcp from <MYDOMAIN> to 127.0.0.1 flags S/SA keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass in on bge0 inet6 proto udp from <MYDOMAIN> to fe80::212:3fff:dead:beef keep state
[ Evaluations: 359 Packets: 0 Bytes: 0 States: 0 ]
pass in inet proto udp from <MYDOMAIN> to A.B.C.D keep state
[ Evaluations: 359 Packets: 0 Bytes: 0 States: 0 ]
pass in inet6 proto udp from <MYDOMAIN> to ::1 keep state
[ Evaluations: 77 Packets: 0 Bytes: 0 States: 0 ]
pass in on lo0 inet6 proto udp from <MYDOMAIN> to fe80::1 keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass in inet proto udp from <MYDOMAIN> to 127.0.0.1 keep state
[ Evaluations: 77 Packets: 0 Bytes: 0 States: 0 ]
pass in inet proto icmp from <MYDOMAIN> to A.B.C.D keep state
[ Evaluations: 359 Packets: 282 Bytes: 15792 States: 0 ]
pass in inet proto icmp from <MYDOMAIN> to 127.0.0.1 keep state
[ Evaluations: 282 Packets: 0 Bytes: 0 States: 0 ]
pass in on bge0 inet6 proto tcp from any port >= 1024 to fe80::212:3fff:dead:beef port = ssh flags S/SA keep state
[ Evaluations: 359 Packets: 0 Bytes: 0 States: 0 ]
pass in inet proto tcp from any port >= 1024 to A.B.C.D port = ssh flags S/SA keep state
[ Evaluations: 359 Packets: 0 Bytes: 0 States: 0 ]
pass in inet6 proto tcp from any port >= 1024 to ::1 port = ssh flags S/SA keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass in on lo0 inet6 proto tcp from any port >= 1024 to fe80::1 port = ssh flags S/SA keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass in inet proto tcp from any port >= 1024 to 127.0.0.1 port = ssh flags S/SA keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass in inet proto icmp from any to A.B.C.D icmp-type echoreq keep state
[ Evaluations: 359 Packets: 0 Bytes: 0 States: 0 ]
pass in inet proto icmp from any to 127.0.0.1 icmp-type echoreq keep state
[ Evaluations: 282 Packets: 0 Bytes: 0 States: 0 ]
pass out on bge0 inet6 proto tcp from fe80::212:3fff:dead:beef to any flags S/SA keep state
[ Evaluations: 760 Packets: 0 Bytes: 0 States: 0 ]
pass out on bge0 inet proto tcp from A.B.C.D to any flags S/SA keep state
[ Evaluations: 397 Packets: 193 Bytes: 57144 States: 1 ]
pass out on bge0 inet6 proto tcp from ::1 to any flags S/SA keep state
[ Evaluations: 8 Packets: 0 Bytes: 0 States: 0 ]
pass out on bge0 inet proto tcp from 127.0.0.1 to any flags S/SA keep state
[ Evaluations: 8 Packets: 0 Bytes: 0 States: 0 ]
pass out on bge0 inet6 proto udp from fe80::212:3fff:dead:beef to any keep state
[ Evaluations: 401 Packets: 0 Bytes: 0 States: 0 ]
pass out on bge0 inet proto udp from A.B.C.D to any keep state
[ Evaluations: 397 Packets: 998 Bytes: 99612 States: 0 ]
pass out on bge0 inet6 proto udp from ::1 to any keep state
[ Evaluations: 106 Packets: 0 Bytes: 0 States: 0 ]
pass out on bge0 inet proto udp from 127.0.0.1 to any keep state
[ Evaluations: 106 Packets: 0 Bytes: 0 States: 0 ]
pass out on bge0 inet proto icmp from A.B.C.D to any keep state
[ Evaluations: 401 Packets: 0 Bytes: 0 States: 0 ]
pass out on bge0 inet proto icmp from 127.0.0.1 to any keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
STATES:
self tcp A.B.C.D:54746 -> W.X.Y.Z:22 ESTABLISHED:ESTABLISHED
[2843439405 + 66609] wscale 1 [1786857146 + 66608] wscale 1
age 00:27:05, expires in 23:32:55, 3:2 pkts, 168:157 bytes, rule 39
INFO:
Status: Disabled for 0 days 00:21:05 Debug: Loud
Hostid: 0x0930c3a5
Interface Stats for bge0 IPv4 IPv6
Bytes In 83475 0
Bytes Out 184720 288
Packets In
Passed 518 0
Blocked 90 0
Packets Out
Passed 1238 4
Blocked 14 0
State Table Total Rate
current entries 1
searches 2044 1.6/s
inserts 134 0.1/s
removals 133 0.1/s
Source Tracking Table
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 780 0.6/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 26 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 1 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
Limit Counters
max states per rule 0 0.0/s
max-src-states 0 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 0 0.0/s
max-src-conn-rate 0 0.0/s
overload table insertion 0 0.0/s
overload flush states 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 0 states
adaptive.end 0 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
TABLES:
-pa-r- CLIENTS
-pa-r- KNOWN_BAD_HOSTS
-pa-r- MYDOMAIN
OS FINGERPRINTS:
345 fingerprints loaded
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051216100915.73fef758.dokas>