Seems like pf skips some packets.
Scott Ullrich
sullrich at gmail.com
Thu Jul 12 16:20:55 UTC 2007
On 7/12/07, Alexey Sopov <adler at smtp.ru> wrote:
> Hi
>
> On my machine with FreeBSD 6.2-STABLE #4 I noticed there are
> outgoing packets from net 192.168.0.0/16 on external interface
>
> Some details:
> Here 1 < a,b,c,d,e,f < 254
>
>
> ~> ifconfig internal
> internal: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=4b<RXCSUM,TXCSUM,VLAN_MTU,POLLING>
> inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
> ether 00:04:23:b0:53:ca
> media: Ethernet autoselect (1000baseTX <full-duplex>)
> status: active
> ~> ifconfig external
> external: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=48<VLAN_MTU,POLLING>
> inet a.b.c.22 netmask 0xfffffffc broadcast a.b.c.23
> ether 00:02:b3:4c:83:6e
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
>
> ~> grep -v '^#' /etc/pf.conf | grep mynet
> table <mynet> { 192.168.0.0/16, 172.16.0.0/16 }
>
> ~> sudo pfctl -s a | less
> No ALTQ support in kernel
> ALTQ related functions disabled
> TRANSLATION RULES:
> nat on external inet from <mynet> to ! <mynet> -> a.b.d.240/28 bitmask
> rdr on external inet proto tcp from any to a.b.e.1 port = ftp -> 192.168.0.2 port 21
> rdr on external inet proto udp from any to a.b.e.1 port = 4127 -> 192.168.0.2 port 4127
> rdr on external inet proto tcp from any to a.b.e.1 port = 4899 -> 192.168.0.2 port 4899
> rdr on external inet proto tcp from any to a.b.c.22 port = 4022 -> 172.16.56.57 port 22
>
> FILTER RULES:
> pass in all
> pass out all
> pass out quick on external inet from a.b.c.20/30 to any
> pass out quick on external inet from a.b.d.224/27 to any
> pass out quick on external inet from a.b.e.0/24 to any
> block drop out on external all
>
> STATES:
> #a lot of states
>
> INFO:
> Status: Enabled for 0 days 11:06:40 Debug: Urgent
>
> Hostid: 0x2055eb8b
>
> State Table Total Rate
> current entries 4182
> searches 250779576 6269.5/s
> inserts 1877065 46.9/s
> removals 1872883 46.8/s
> Counters
> match 165990128 4149.8/s
> bad-offset 0 0.0/s
> fragment 15 0.0/s
> short 2 0.0/s
> normalize 0 0.0/s
> memory 0 0.0/s
> bad-timestamp 0 0.0/s
> congestion 0 0.0/s
> ip-option 4550 0.1/s
> proto-cksum 0 0.0/s
> state-mismatch 6233 0.2/s
> state-insert 0 0.0/s
> state-limit 0 0.0/s
> src-limit 0 0.0/s
> synproxy 0 0.0/s
>
> TIMEOUTS:
> tcp.first 30s
> tcp.opening 5s
> tcp.established 18000s
> tcp.closing 60s
> tcp.finwait 30s
> tcp.closed 30s
> tcp.tsdiff 10s
> udp.first 60s
> udp.single 30s
> udp.multiple 60s
> icmp.first 20s
> icmp.error 10s
> other.first 60s
> other.single 30s
> other.multiple 60s
> frag 5s
> interval 2s
> adaptive.start 0 states
> adaptive.end 0 states
> src.track 0s
>
> LIMITS:
> states hard limit 50000
> src-nodes hard limit 30000
> frags hard limit 50000
>
> TABLES:
> mynet
>
> OS FINGERPRINTS:
> 348 fingerprints loaded
>
>
> Here I try to catch packets on external interface:
>
> ~> sudo tcpdump -ni external src net 192.168.0.0/16
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on external, link-type EN10MB (Ethernet), capture size 96 bytes
> 12:59:44.401906 IP 192.168.56.152.1090 > 64.12.31.180.5190: . ack 1528988903 win 0
> 12:59:44.401921 IP 192.168.12.43.60481 > 81.19.88.11.80: . ack 2815867423 win 0
> 12:59:44.401933 IP 192.168.46.101.1650 > 81.176.76.116.80: . ack 669974985 win 0
> 12:59:44.401946 IP 192.168.54.12.2124 > 194.145.212.35.80: . ack 2208596276 win 0
> 12:59:44.401958 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1166126606 win 0
> 12:59:44.401971 IP 192.168.46.101.1652 > 81.19.80.2.80: . ack 1004425830 win 0
> 12:59:44.401983 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1120457487 win 0
> 12:59:44.401995 IP 192.168.54.71.1578 > 87.248.217.79.80: . ack 2473371997 win 0
> 12:59:44.402022 IP 192.168.38.49.4183 > 65.54.195.188.80: . ack 964472648 win 0
> 12:59:44.402041 IP 192.168.42.90.60363 > 66.249.93.91.80: . ack 2862783680 win 0
> 12:59:44.402055 IP 192.168.46.46.58867 > 89.188.102.70.80: . ack 2523375288 win 0
> 12:59:44.402075 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 0 win 0
> 12:59:44.402087 IP 192.168.60.38.2050 > 66.235.180.76.8080: . ack 2443543023 win 0
> 12:59:49.400160 IP 192.168.42.124.1313 > 81.222.128.13.80: . ack 1468803329 win 0
> 12:59:49.400176 IP 192.168.42.124.1312 > 81.222.128.13.80: . ack 1482657113 win 0
> 12:59:49.400190 IP 192.168.42.124.1314 > 81.19.80.2.80: . ack 1518361964 win 0
> 12:59:49.400202 IP 192.168.42.124.1315 > 217.16.26.60.80: . ack 2295931572 win 0
> 12:59:49.400218 IP 192.168.22.10.1510 > 194.67.45.129.80: . ack 1 win 0
> 12:59:49.400229 IP 192.168.42.124.1311 > 81.222.128.13.80: . ack 1477893358 win 0
> 12:59:49.400242 IP 192.168.42.60.61035 > 203.75.40.14.21: . ack 2868867767 win 0
> 12:59:49.400255 IP 192.168.42.124.1309 > 194.67.23.108.80: . ack 2813951723 win 0
> 12:59:49.400269 IP 192.168.38.16.1311 > 88.85.78.58.80: . ack 3157990844 win 0
> 12:59:49.400281 IP 192.168.38.79.63441 > 66.102.11.164.80: . ack 1 win 0
> 12:59:49.400318 IP 192.168.11.118.2487 > 213.180.214.31.80: . ack 0 win 0
> 12:59:49.400331 IP 192.168.52.33.64997 > 193.192.41.2.80: . ack 69990011 win 0
> 12:59:49.400352 IP 192.168.24.16.1047 > 64.12.31.144.5190: . ack 2248286157 win 0
> 12:59:49.400371 IP 192.168.60.38.2057 > 66.235.180.76.8080: . ack 2458160570 win 0
> 12:59:49.400383 IP 192.168.38.16.1222 > 208.166.56.114.80: . ack 1 win 0
> ^C
> 28 packets captured
> 45864 packets received by filter
> 0 packets dropped by kernel
>
> Why these packets weren't translated by pf nat rules or filtered by pf
> block rule?
>
> Note they appear once in five seconds. Tried to modify frag parameter,
> but this didn't help. Also I noticed they all have ACK bit set.
>
> Thank you.
What is the date of your build (uname -a). There was a commit
recently to fix fragmented packets w/ hardware checksums
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf_norm.c.diff?r1=1.11.2.4;r2=1.11.2.5;only_with_tag=RELENG_6
Maybe you just need to cvsup and build a new kernel / world?
Scott
More information about the freebsd-stable
mailing list