RELENG_6 and blocked packes with state-mismatch
Jeremy Chadwick
koitsu at FreeBSD.org
Thu Jan 24 10:50:27 PST 2008
On Thu, Jan 24, 2008 at 10:35:07AM -0800, Tommy Pham wrote:
> Are your serves (web, mail, etc.) inside a LAN or DMZ behind the pf
> box? If so, you're missing NAT and rdr rules. It may help if you can
> make a network layout of your setup like
>
> Internet <---> router/firewall (FreeBSD pf box) <---> LAN
> ^
> |
> |
> DMZ
Good question -- nope, no NAT is being used. The machine which is doing
the pf filtering is directly on the Internet. It does not act as a
gateway for other machines on our LAN. I thought this was implied by
the state-mismatch logs I was showing, re: public Internet-facing IPs,
but I guess not. :-)
The physical wiring is literally this:
Internet <--> ISP CAT5e <--> HP ProCurve 2626 switch <--> FreeBSD boxes
The routing setup is simple: our co-lo provider handles the routing for
us. We're given an IP (on their Cisco router) which acts as a gateway
IP for our network block (72.20.106.0/25). There's no NAT or filtering
going on upstream -- this is a co-location facility.
Is it possible the state-mismatch logs shown are the result of a broken
IP stack on the visitors' machines (e.g. 71.62.42.150 and
75.136.198.15), and pf is filtering it because the TCP state is truly
out-of-order or incorrect?
I haven't been able to find docs on what all of the counter descriptions
actually represent (e.g. state-mismatch, congestion, normalise,
bad-offset, ip-option, etc.); some are obvious, while others are not.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-pf
mailing list