BAD state using PF

FreeBSD freebsd at optiksecurite.com
Tue Dec 2 08:38:22 PST 2008 

Hi everyone,

I know this has been discussed earlier, but I'm not sure that the 
ephemeral port reuse is really my problem and if it is, I not sure what 
to do.

There is my situation: I'm running FreeBSD 7.0-REL on a server running a 
jail to isolate MySQL. The jail is bind to 127.0.0.40 and I use RDR in 
pf.conf to redirect the traffic directed to port 3306 in the jail. This 
works great excepted that I got random "Can't connect to MySQL" when 
another jail (127.0.0.20) or when another server tries to connect to 
MySQL. I noticed that the State Mismatch counter of pfctl -vsi is 
increasing, so I enabled misc debugging (pfctl -xm). There is a snip of 
what I got in /var/log/messages:

Dec  2 10:58:35 martin kernel: pf: BAD state: TCP 127.0.0.20:63485 
127.0.0.20:63485 127.0.0.40:3306 [lo=3309233133 high=3309304807 win=8960 
modulator=2304227691 wscale=3] [lo=1318579582 high=1318651262 win=8960 
modulator=4106 wscale=3] 9:9 S seq=3346121963 (3346121963) 
ack=1318579582 len=0 ackskew=0 pkts=53:55 dir=out,fwd
Dec  2 10:58:35 martin kernel: pf: BAD state: TCP 127.0.0.20:63485 
127.0.0.20:63485 127.0.0.40:3306 [lo=3309233133 high=3309304807 win=8960 
modulator=2304227691 wscale=3] [lo=1318579582 high=1318651262 win=8960 
modulator=4106 wscale=3] 9:9 F seq=3346121964 (3346121964)
Dec  2 11:17:59 martin kernel: pf: BAD state: TCP 127.0.0.20:62768 
127.0.0.20:62768 127.0.0.40:3306 [lo=386778332 high=386850006 win=8960 
modulator=2910169605 wscale=3] [lo=3296964218 high=3297035897 win=8960 
modulator=4201 wscale=3] 9:9 S seq=452986485 (452986485) ack=3296964218 
len=0 ackskew=0 pkts=18:16 dir=out,fwd
Dec  2 11:17:59 martin kernel: pf: BAD state: TCP 127.0.0.20:62768 
127.0.0.20:62768 127.0.0.40:3306 [lo=386778332 high=386850006 win=8960 
modulator=2910169605 wscale=3] [lo=3296964218 high=3297035897 win=8960 
modulator=4201 wscale=3] 9:9 F seq=452986486 (452986486) ack=3296964218 
len=0 ackskew=0 pkts=18:16 dir=out,fwd

So my question is how can I be sure that the problem is due to the port 
reuse? If so, what am I supposed to do to deal with this? Would the best 
solution be to decrease the tcp.closed timeout?

Thanks everyone for your help!

Martin

More information about the freebsd-pf mailing list