Having a couple of issues

Kimi Ostro kimimeister at gmail.com
Sat Nov 11 20:08:00 UTC 2006 

Hi folks,

I'm having two issues, first one is lots of these:

pf: loose state match: TCP IiP.IiP.IiP.8:52621 XiP.XiP.XiP.199:62555
80.91.229.5:119 [l
o=3269014705 high=3269020496 win=32844 modulator=4099273154 wscale=1] [lo=141076
3470 high=1410829151 win=5792 modulator=37226129 wscale=0] 9:4 R seq=3269014705
ack=1410763470 len=0 ackskew=0 pkts=87:65

sprinkeled with a few of these:

pf: BAD state: TCP IiP.IiP.IiP.8:62611 XiP.XiP.XiP.199:58398
83.143.169.1:80 [lo=408513
2808 high=4085138601 win=32768 modulator=3334704359 wscale=1] [lo=172073751 high
=172139287 win=5792 modulator=2536699106 wscale=2] 4:2 R seq=4085132808 ack=1720
73751 len=0 ackskew=0 pkts=1:5 dir=out,fwd
pf: State failure on:         |

Also my other issue is FTP. I had FTP working before I lost my current
ruleset due to a HD crash and decided to use ftp/pftpx from ports.

in /var/log/messages I get a few of these show up:

Nov 11 20:01:36 ehost pftpx[46924]: #157 proxy cannot connect to
server 64.39.2.174: Operation not permitted
Nov 11 20:01:36 ehost pftpx[46924]: #158 proxy cannot connect to
server 192.35.244.50: Operation not permitted
Nov 11 20:01:38 ehost pftpx[46924]: #163 proxy cannot connect to
server 213.135.44.35: Operation not permitted
Nov 11 20:01:38 ehost pftpx[46924]: #164 proxy cannot connect to
server 212.14.28.36: Operation not permitted
Nov 11 20:01:39 ehost pftpx[46924]: #165 proxy cannot connect to
server 212.101.4.244: Operation not permitted
Nov 11 20:01:39 ehost pftpx[46924]: #166 proxy cannot connect to
server 193.206.140.34: Operation not permitted
Nov 11 20:01:40 ehost pftpx[46924]: #167 proxy cannot connect to
server 66.98.251.159: Operation not permitted

which if think is related to the next part..

tcpdump -net -s0 -i pflog0 shows the packet's blocked.

Can anyone help? I'm a little rusty :(

--

% cat /etc/pf.conf

ext_if = "tun0"
prv_if = "fxp0"
lpb_if = "lo0"

#set loginterface $prv_if
set state-policy if-bound
#set skip on $lpb_if
#set debug misc

scrub in on $ext_if \
 all \
 min-ttl 100 \
 no-df \
 fragment drop-ovl

scrub out on $ext_if \
 all \
 min-ttl 10 \
 random-id

altq on $ext_if priq bandwidth 1Mb \
 queue { Realtime High AboveNormal Normal BelowNormal Low }
  queue Realtime priority 15 priq
  queue High priority 12 priq
  queue AboveNormal priority 9 priq
  queue Normal priority 6 priq( default )
  queue BelowNormal priority 3 priq
  queue Low priority 0 priq

no nat on $ext_if \
 inet \
 from $prv_if:network \
 to $prv_if:network

nat on $ext_if \
 inet proto { tcp udp } \
 from $prv_if:network \
 to any \
 tag prv_natted \
 -> ($ext_if:0)

nat-anchor "pftpx/*"
rdr-anchor "pftpx/*"

rdr pass on $prv_if \
 inet proto tcp \
 from $prv_if:network \
 to any port = ftp \
 -> $lpb_if:0 port ftp-proxy

block drop log on $ext_if

block return log on ! $ext_if

pass quick on $lpb_if

pass in quick on $prv_if \
 inet proto udp \
 from 0.0.0.0 port dhcpc \
 to 255.255.255.255 port dhcps

pass quick on $prv_if \
 from $prv_if:network \
 to $prv_if:network

pass in on $prv_if \
 inet proto { tcp udp } \
 from $prv_if:network \
 to ! $prv_if:network \
 flags S/SA modulate state

pass out on $ext_if \
 inet proto udp \
 from ($ext_if:0) \
 to any port = domain \
 keep state \
 queue High \
 tagged prv_natted

pass out on $ext_if \
 inet proto udp \
 from ($ext_if:0) \
 to any port = ntp \
 keep state \
 queue High

anchor "pftpx/*"

pass out on $ext_if \
 inet proto tcp \
 from ($ext_if:0) \
 to any port { http https 8008 8080 } \
 flags S/SA modulate state \
 queue Normal \
 tagged prv_natted

pass out on $ext_if \
 inet proto tcp \
 from ($ext_if:0) \
 to any port { 1863 5050 5222:5223 } \
 flags S/SA modulate state \
 queue BelowNormal \
 tagged prv_natted

pass out on $ext_if \
 inet proto tcp \
 from ($ext_if:0) \
 to any port { smtp pop3 imap nntp smtps pop3s imaps nntps } \
 flags S/SA modulate state \
 queue BelowNormal \
 tagged prv_natted

pass out on $ext_if \
 inet proto tcp \
 from ($ext_if:0) \
 to any port { cvsup cvspserver } \
 flags S/SA modulate state \
 queue BelowNormal \
 tagged prv_natted

pass out on $ext_if \
 inet proto tcp \
 from ($ext_if:0) \
 to any port = ssh \
 flags S/SA modulate state \
 queue (BelowNormal High) \
 tagged prv_natted

pass out on $ext_if \
 inet proto tcp \
 from ($ext_if:0) \
 to any \
 flags S/SA modulate state \
 tagged prv_natted

antispoof for { $ext_if $prv_if $lpb_if }

# EOF

Help? I tend to think the real problem is the object between the
screen and the chair..

-- 
Kimi

More information about the freebsd-pf mailing list